To all maintainers of BLFS files mirrors:
There has been a change at Oregon State University Open Source Labs (osuosl) that
hosts all our package files. The new instruction to maintain currency of these files is:
/usr/bin/rsync -lprt --delete rsync2.osuosl.org::blfs /srv/ftp/BLFS
Note the change from rsync.osuosl.org to rsync2.osuosl.org.
This change is also at https://rivendell.linuxfromscratch.org/contribute.html
-- Bruce
Thursday, February 29, 2024
OpenBSD Errata: February 29, 2024 (vmm)
Errata patch for vmm(4) has been released for OpenBSD 7.4.
Binary updates for the amd64 platform are available via the syspatch
utility. Source code patches can be found on the respective errata
page:
https://www.openbsd.org/errata74.html
Binary updates for the amd64 platform are available via the syspatch
utility. Source code patches can be found on the respective errata
page:
https://www.openbsd.org/errata74.html
[USN-6671-1] php-nyholm-psr7 vulnerability
==========================================================================
Ubuntu Security Notice USN-6671-1
February 29, 2024
php-nyholm-psr7 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
Summary:
An header injection issue was fixed in php-nyholm-psr7.
Software Description:
- php-nyholm-psr7: A super lightweight PSR-7 implementation
Details:
It was discovered that php-nyholm-psr7 incorrectly parsed HTTP
headers. A remote attacker could possibly use this issue to perform
an HTTP header injection attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
php-nyholm-psr7 1.5.0-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6671-1
CVE-2023-29197
Ubuntu Security Notice USN-6671-1
February 29, 2024
php-nyholm-psr7 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
Summary:
An header injection issue was fixed in php-nyholm-psr7.
Software Description:
- php-nyholm-psr7: A super lightweight PSR-7 implementation
Details:
It was discovered that php-nyholm-psr7 incorrectly parsed HTTP
headers. A remote attacker could possibly use this issue to perform
an HTTP header injection attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
php-nyholm-psr7 1.5.0-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6671-1
CVE-2023-29197
[USN-6670-1] php-guzzlehttp-psr7 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6670-1
February 29, 2024
php-guzzlehttp-psr7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS
Summary:
Several header injection issues were fixed in php-guzzlehttp-psr7.
Software Description:
- php-guzzlehttp-psr7: PSR-7 HTTP message library
Details:
It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP
headers. A remote attacker could possibly use these issues to perform
an HTTP header injection attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
php-guzzlehttp-psr7 1.8.3-1ubuntu0.1~esm1
Ubuntu 20.04 LTS:
php-guzzlehttp-psr7 1.4.2-0.1+deb10u2build0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6670-1
CVE-2022-24775, CVE-2023-29197
Package Information:
https://launchpad.net/ubuntu/+source/php-guzzlehttp-psr7/1.4.2-0.1+deb10u2build0.20.04.1
Ubuntu Security Notice USN-6670-1
February 29, 2024
php-guzzlehttp-psr7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS
Summary:
Several header injection issues were fixed in php-guzzlehttp-psr7.
Software Description:
- php-guzzlehttp-psr7: PSR-7 HTTP message library
Details:
It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP
headers. A remote attacker could possibly use these issues to perform
an HTTP header injection attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
php-guzzlehttp-psr7 1.8.3-1ubuntu0.1~esm1
Ubuntu 20.04 LTS:
php-guzzlehttp-psr7 1.4.2-0.1+deb10u2build0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6670-1
CVE-2022-24775, CVE-2023-29197
Package Information:
https://launchpad.net/ubuntu/+source/php-guzzlehttp-psr7/1.4.2-0.1+deb10u2build0.20.04.1
[CentOS-announce] CESA-2024:0957 Important CentOS 7 thunderbird Security Update
CentOS Errata and Security Advisory 2024:0957 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2024:0957
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
852bab23cc3bdff5b4cdf1f101f36a4d1fd4e8d3e570d399b4ef0b06e0e29536 thunderbird-115.8.0-1.el7.centos.x86_64.rpm
Source:
11e2fb8b582c04f48eca9bb9cff8b661f03f1c0d45fbcca3c8ae096698110d06 thunderbird-115.8.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2024:0957
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
852bab23cc3bdff5b4cdf1f101f36a4d1fd4e8d3e570d399b4ef0b06e0e29536 thunderbird-115.8.0-1.el7.centos.x86_64.rpm
Source:
11e2fb8b582c04f48eca9bb9cff8b661f03f1c0d45fbcca3c8ae096698110d06 thunderbird-115.8.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2024:0976 Important CentOS 7 firefox Security Update
CentOS Errata and Security Advisory 2024:0976 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2024:0976
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7cc5e8e7cd7fd7b33ddc2f01d6d1866e7073a0a2e8ec65d4a8b21009e3f67777 firefox-115.8.0-1.el7.centos.i686.rpm
107322552a77011bd81b348ebfbb5f9181eec6a6de74a1a746e6bccf9773e1a6 firefox-115.8.0-1.el7.centos.x86_64.rpm
Source:
6354f68d3ce245377a4c0f50452ee26c9004e7064feadc4b3af58ccb3e30e341 firefox-115.8.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2024:0976
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
7cc5e8e7cd7fd7b33ddc2f01d6d1866e7073a0a2e8ec65d4a8b21009e3f67777 firefox-115.8.0-1.el7.centos.i686.rpm
107322552a77011bd81b348ebfbb5f9181eec6a6de74a1a746e6bccf9773e1a6 firefox-115.8.0-1.el7.centos.x86_64.rpm
Source:
6354f68d3ce245377a4c0f50452ee26c9004e7064feadc4b3af58ccb3e30e341 firefox-115.8.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2024:0987 CentOS 7 scap-security-guide BugFix Update
CentOS Errata and Bugfix Advisory 2024:0987
Upstream details at : https://access.redhat.com/errata/RHBA-2024:0987
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
e02972fac05c3f064d850d48bd37730bdc682a15ee48e9df9f51ad3d023e5115 scap-security-guide-0.1.72-2.el7.centos.noarch.rpm
047afe9b60a6d1228931b215d26c7cc7dc637d69a40463e0a25163cd20c53b43 scap-security-guide-doc-0.1.72-2.el7.centos.noarch.rpm
5858767f54c2120e5d407542c3960c0bcdbe0ac20b7db144d540566f95fa03ee scap-security-guide-rule-playbooks-0.1.72-2.el7.centos.noarch.rpm
Source:
d364bd885edeb9178483402c85515ed341cd1c5ccdbe06aae2cbff54ea7a4d2a scap-security-guide-0.1.72-2.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2024:0987
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
e02972fac05c3f064d850d48bd37730bdc682a15ee48e9df9f51ad3d023e5115 scap-security-guide-0.1.72-2.el7.centos.noarch.rpm
047afe9b60a6d1228931b215d26c7cc7dc637d69a40463e0a25163cd20c53b43 scap-security-guide-doc-0.1.72-2.el7.centos.noarch.rpm
5858767f54c2120e5d407542c3960c0bcdbe0ac20b7db144d540566f95fa03ee scap-security-guide-rule-playbooks-0.1.72-2.el7.centos.noarch.rpm
Source:
d364bd885edeb9178483402c85515ed341cd1c5ccdbe06aae2cbff54ea7a4d2a scap-security-guide-0.1.72-2.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-6651-3] Linux kernel (StarFive) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmi4FAwAAAAAACgkQZ0GeRcM5nt0Z
vAf7BjXX9mJ3If9zy2OQbvA6MbUz/4MjOPj2n/I/oZfOlqtUqyNnOxaPy7fGgtThOTsuuCObGGig
N5f6BmojkCYTHk8Q47689BKgnfwiqibCAjDr7Xc61etSGwVBM1uKcJPYRBQeVomkrsV6iLHnY4tJ
wmf6UQalfQ3DAYFQ4VSruDIwthe7KhGEdE6Ii9KHBCdyxoh6Cpij2TKm45HbuYI602rP3BUuHweU
KrpwW5RsYz4K1o+0n7+CRCqtXh8uSNvODrzA0VaNk1XQkVTy0HPLnZkAfysSLp3XT3nXXC3R8d/W
jDytZorBjvSZQn77tvMB2aJW0sFUY87WntliygHu2g==
=IAe+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-3
February 29, 2024
linux-starfive-6.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-starfive-6.5: Linux kernel for StarFive processors
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.5.0-1008-starfive 6.5.0-1008.9~22.04.1
linux-image-starfive 6.5.0.1008.9~22.04.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-3
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-starfive-6.5/6.5.0-1008.9~22.04.1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmi4FAwAAAAAACgkQZ0GeRcM5nt0Z
vAf7BjXX9mJ3If9zy2OQbvA6MbUz/4MjOPj2n/I/oZfOlqtUqyNnOxaPy7fGgtThOTsuuCObGGig
N5f6BmojkCYTHk8Q47689BKgnfwiqibCAjDr7Xc61etSGwVBM1uKcJPYRBQeVomkrsV6iLHnY4tJ
wmf6UQalfQ3DAYFQ4VSruDIwthe7KhGEdE6Ii9KHBCdyxoh6Cpij2TKm45HbuYI602rP3BUuHweU
KrpwW5RsYz4K1o+0n7+CRCqtXh8uSNvODrzA0VaNk1XQkVTy0HPLnZkAfysSLp3XT3nXXC3R8d/W
jDytZorBjvSZQn77tvMB2aJW0sFUY87WntliygHu2g==
=IAe+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-3
February 29, 2024
linux-starfive-6.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-starfive-6.5: Linux kernel for StarFive processors
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.5.0-1008-starfive 6.5.0-1008.9~22.04.1
linux-image-starfive 6.5.0.1008.9~22.04.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-3
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-starfive-6.5/6.5.0-1008.9~22.04.1
[USN-6647-2] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmh0FAwAAAAAACgkQZ0GeRcM5nt2r
sQf/eA+TLuCyIz2ZzU0a3d/d3OIWwkqXgoAJwv9OLL7F9gVWFbNPZLSzuYFwmap6NoKcbZB+0A46
ql9nkoqXjvOraQytAh4/Cj9BfiWX8qRpp0I9MN+FoSBXCtHWzKyttfj/4sdkH+XfToLUGmLGe/Ml
3ZQDrce0onOe2QRP7yKktzcPR8q5bIKLU26YwpdIMvscor7gdt4fejW6E9NGMl6qKbaI0GGFlxWv
8L9oUpnhCvtqhfPHz0Stq23zBu3s3CrJvr6Yk6vSuRTLEYsNZ0E0MdVRBfpT2cm7ox2Kkbw5YmdG
Pi4DhheIa9xjn9TwU3jXSjQQQd39ve3ceaNwzWUbgg==
=wv3N
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6647-2
February 29, 2024
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the Rose X.25 protocol
implementation in the Linux kernel, leading to a use-after- free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)
It was discovered that the netfilter connection tracker for netlink in the
Linux kernel did not properly perform reference counting in some error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion). (CVE-2023-7192)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
linux-image-4.15.0-1174-azure 4.15.0-1174.189~14.04.1
linux-image-azure 4.15.0.1174.140
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6647-2
https://ubuntu.com/security/notices/USN-6647-1
CVE-2023-51780, CVE-2023-51782, CVE-2023-7192
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmh0FAwAAAAAACgkQZ0GeRcM5nt2r
sQf/eA+TLuCyIz2ZzU0a3d/d3OIWwkqXgoAJwv9OLL7F9gVWFbNPZLSzuYFwmap6NoKcbZB+0A46
ql9nkoqXjvOraQytAh4/Cj9BfiWX8qRpp0I9MN+FoSBXCtHWzKyttfj/4sdkH+XfToLUGmLGe/Ml
3ZQDrce0onOe2QRP7yKktzcPR8q5bIKLU26YwpdIMvscor7gdt4fejW6E9NGMl6qKbaI0GGFlxWv
8L9oUpnhCvtqhfPHz0Stq23zBu3s3CrJvr6Yk6vSuRTLEYsNZ0E0MdVRBfpT2cm7ox2Kkbw5YmdG
Pi4DhheIa9xjn9TwU3jXSjQQQd39ve3ceaNwzWUbgg==
=wv3N
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6647-2
February 29, 2024
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the Rose X.25 protocol
implementation in the Linux kernel, leading to a use-after- free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)
It was discovered that the netfilter connection tracker for netlink in the
Linux kernel did not properly perform reference counting in some error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion). (CVE-2023-7192)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
linux-image-4.15.0-1174-azure 4.15.0-1174.189~14.04.1
linux-image-azure 4.15.0.1174.140
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6647-2
https://ubuntu.com/security/notices/USN-6647-1
CVE-2023-51780, CVE-2023-51782, CVE-2023-7192
[USN-6653-3] Linux kernel (Low Latency) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmjkFAwAAAAAACgkQZ0GeRcM5nt3t
lgf9GrdI0nIZml/RSvMb8rkR6ZMslPAlPscQKhmfPep+FQzUO+HDIcFc48MlRvInXEBVWLpHJor+
uflxZg/Ds4B//L/PoDXKBls+gv2LC4BdjirQH8w/DwqRO9njKS5/D2nSEhULcom5JzJs08dKQPmc
0idoCYXbbIuh/VbNWVg9l7BhKPtibdtx47oJsI8NGBTxIwnV+h6cmvkcvuSefNMTxRzovy8Wqfws
MVWgvZEq+vYbh7r4mZws+XygkRyZ9kGsDiinkRBJ9w0Vela0hWBeCVhet6+5/lSo0vFnF0cw9gVA
tJCkW3iNfNZ+b7CxBX3wP1i2RFsTeWm9kKP8JGQZ/Q==
=P8g3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6653-3
February 29, 2024
linux-lowlatency vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lowlatency: Linux low latency kernel
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-97-lowlatency 5.15.0-97.107
linux-image-5.15.0-97-lowlatency-64k 5.15.0-97.107
linux-image-lowlatency 5.15.0.97.95
linux-image-lowlatency-64k 5.15.0.97.95
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6653-3
https://ubuntu.com/security/notices/USN-6653-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-97.107
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXgmjkFAwAAAAAACgkQZ0GeRcM5nt3t
lgf9GrdI0nIZml/RSvMb8rkR6ZMslPAlPscQKhmfPep+FQzUO+HDIcFc48MlRvInXEBVWLpHJor+
uflxZg/Ds4B//L/PoDXKBls+gv2LC4BdjirQH8w/DwqRO9njKS5/D2nSEhULcom5JzJs08dKQPmc
0idoCYXbbIuh/VbNWVg9l7BhKPtibdtx47oJsI8NGBTxIwnV+h6cmvkcvuSefNMTxRzovy8Wqfws
MVWgvZEq+vYbh7r4mZws+XygkRyZ9kGsDiinkRBJ9w0Vela0hWBeCVhet6+5/lSo0vFnF0cw9gVA
tJCkW3iNfNZ+b7CxBX3wP1i2RFsTeWm9kKP8JGQZ/Q==
=P8g3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6653-3
February 29, 2024
linux-lowlatency vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lowlatency: Linux low latency kernel
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-97-lowlatency 5.15.0-97.107
linux-image-5.15.0-97-lowlatency-64k 5.15.0-97.107
linux-image-lowlatency 5.15.0.97.95
linux-image-lowlatency-64k 5.15.0.97.95
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6653-3
https://ubuntu.com/security/notices/USN-6653-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-97.107
Wednesday, February 28, 2024
[USN-6653-2] Linux kernel (AWS) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffVAFAwAAAAAACgkQZ0GeRcM5nt2r
PQf/Zg6GhaxOZioeeemIrsB3XoRk44qYMw3Vnla7PjRkx3CIddUHFco3Tkw8Y1Ky8RAot+r/5LQg
gk7WcTTMWVzP9mb3ZouXRj21Cb2GPAs7NZUtxsyLYn7BEw63FWk7tw8+hjrDoBEknbCjTpO4dKYa
RgALff4WHlqZZbzEWiRgsC8/Gkyvff5JoJNisQAwi7g3IJGSCSaOHE0EeXNtbfbuRu/zaewDAjtZ
ztphnE3OKQfoKsJumelOkghG38+Y3YO2fqYUV2LsEiwRL6yIpgUOb7sCEmoQe3XOT8E4lJCYFKs3
SRcqx07ChTfEtOwUkjF8La8DnSly1yCLaVm7MhmGLw==
=pM4+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6653-2
February 28, 2024
linux-aws, linux-aws-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1055-aws 5.15.0-1055.60
linux-image-aws-lts-22.04 5.15.0.1055.54
Ubuntu 20.04 LTS:
linux-image-5.15.0-1055-aws 5.15.0-1055.60~20.04.1
linux-image-aws 5.15.0.1055.60~20.04.42
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6653-2
https://ubuntu.com/security/notices/USN-6653-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1055.60
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1055.60~20.04.1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffVAFAwAAAAAACgkQZ0GeRcM5nt2r
PQf/Zg6GhaxOZioeeemIrsB3XoRk44qYMw3Vnla7PjRkx3CIddUHFco3Tkw8Y1Ky8RAot+r/5LQg
gk7WcTTMWVzP9mb3ZouXRj21Cb2GPAs7NZUtxsyLYn7BEw63FWk7tw8+hjrDoBEknbCjTpO4dKYa
RgALff4WHlqZZbzEWiRgsC8/Gkyvff5JoJNisQAwi7g3IJGSCSaOHE0EeXNtbfbuRu/zaewDAjtZ
ztphnE3OKQfoKsJumelOkghG38+Y3YO2fqYUV2LsEiwRL6yIpgUOb7sCEmoQe3XOT8E4lJCYFKs3
SRcqx07ChTfEtOwUkjF8La8DnSly1yCLaVm7MhmGLw==
=pM4+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6653-2
February 28, 2024
linux-aws, linux-aws-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1055-aws 5.15.0-1055.60
linux-image-aws-lts-22.04 5.15.0.1055.54
Ubuntu 20.04 LTS:
linux-image-5.15.0-1055-aws 5.15.0-1055.60~20.04.1
linux-image-aws 5.15.0.1055.60~20.04.42
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6653-2
https://ubuntu.com/security/notices/USN-6653-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1055.60
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1055.60~20.04.1
[USN-6651-2] Linux kernel vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffUsFAwAAAAAACgkQZ0GeRcM5nt2S
bwf/TgB5lEGLUYrSCz59BU1AWmoemfU6G8GGKP1xtYptV71zVBtBNdOleTrRrJ4Ste3Cg1E3hRR4
ZudsfEKV9vUze4PPocxW4O4If6YM2hBYi5qI5/kGz4+phXLeXpEaVJSzEo+hBJHUu98XhcWNZCh9
RmLFDLe+aHmCKOOwEPuDwgR0QZPrJFbJkffyB0JjJcSGXluMfyaQtc8RphFOgqo/tm7ScAGKgfY+
lxCc9DWK9Tj5iNuEI1i2X5MaC0d1se9E8nM+cIqxV+rGQi2EgA4dXtm8AUQc7R3Gd9t70szWMPyK
L5zrvLV0i12ozB/CIJNWcALVYfST440er7apqjlrUw==
=xRWd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-2
February 28, 2024
linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lowlatency: Linux low latency kernel
- linux-lowlatency-hwe-6.5: Linux low latency kernel
- linux-oem-6.5: Linux kernel for OEM systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
linux-image-6.5.0-21-lowlatency 6.5.0-21.21.1
linux-image-6.5.0-21-lowlatency-64k 6.5.0-21.21.1
linux-image-lowlatency 6.5.0.21.21.15
linux-image-lowlatency-64k 6.5.0.21.21.15
Ubuntu 22.04 LTS:
linux-image-6.5.0-1015-oem 6.5.0-1015.16
linux-image-6.5.0-21-lowlatency 6.5.0-21.21.1~22.04.1
linux-image-6.5.0-21-lowlatency-64k 6.5.0-21.21.1~22.04.1
linux-image-lowlatency-64k-hwe-22.04 6.5.0.21.21.1~22.04.7
linux-image-lowlatency-hwe-22.04 6.5.0.21.21.1~22.04.7
linux-image-oem-22.04d 6.5.0.1015.17
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-2
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency/6.5.0-21.21.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.5/6.5.0-21.21.1~22.04.1
https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1015.16
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffUsFAwAAAAAACgkQZ0GeRcM5nt2S
bwf/TgB5lEGLUYrSCz59BU1AWmoemfU6G8GGKP1xtYptV71zVBtBNdOleTrRrJ4Ste3Cg1E3hRR4
ZudsfEKV9vUze4PPocxW4O4If6YM2hBYi5qI5/kGz4+phXLeXpEaVJSzEo+hBJHUu98XhcWNZCh9
RmLFDLe+aHmCKOOwEPuDwgR0QZPrJFbJkffyB0JjJcSGXluMfyaQtc8RphFOgqo/tm7ScAGKgfY+
lxCc9DWK9Tj5iNuEI1i2X5MaC0d1se9E8nM+cIqxV+rGQi2EgA4dXtm8AUQc7R3Gd9t70szWMPyK
L5zrvLV0i12ozB/CIJNWcALVYfST440er7apqjlrUw==
=xRWd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-2
February 28, 2024
linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lowlatency: Linux low latency kernel
- linux-lowlatency-hwe-6.5: Linux low latency kernel
- linux-oem-6.5: Linux kernel for OEM systems
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
linux-image-6.5.0-21-lowlatency 6.5.0-21.21.1
linux-image-6.5.0-21-lowlatency-64k 6.5.0-21.21.1
linux-image-lowlatency 6.5.0.21.21.15
linux-image-lowlatency-64k 6.5.0.21.21.15
Ubuntu 22.04 LTS:
linux-image-6.5.0-1015-oem 6.5.0-1015.16
linux-image-6.5.0-21-lowlatency 6.5.0-21.21.1~22.04.1
linux-image-6.5.0-21-lowlatency-64k 6.5.0-21.21.1~22.04.1
linux-image-lowlatency-64k-hwe-22.04 6.5.0.21.21.1~22.04.7
linux-image-lowlatency-hwe-22.04 6.5.0.21.21.1~22.04.7
linux-image-oem-22.04d 6.5.0.1015.17
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-2
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency/6.5.0-21.21.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.5/6.5.0-21.21.1~22.04.1
https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1015.16
[USN-6648-2] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffUEFAwAAAAAACgkQZ0GeRcM5nt1G
YggAmlyry8ofwtCIqVMiQN1hhivsP9uaWB8skrIUloB2IE5s4g7BjQMApprEa2MiCHlySc0vjXXh
vmBN5ODZz8htEFZdjhN6S85K03GW+1QwRn29GAvgn+j2jW4wH3DLXSmhb0VwquulmTGKwMilgbU3
FQi9SyNX3zuaiwvS5ZJCGd1AQJEE3c/izbUmauAZF2nZJOFNHWyGaQ4crehwlqvQGbe1jG+v70KL
eVgPCmN9853jakj9uX/ggCFCy8jiDCqJtz9mFDKhpNiG3RjlMTwQkTnUm02VP9ehznNcClNQzbAt
VUDLXFIg3sQHcoLsFc6GqQQrB+KWY+LYR3fHRR9hmg==
=eBrg
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6648-2
February 28, 2024
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1124-azure 5.4.0-1124.131
linux-image-azure-lts-20.04 5.4.0.1124.117
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
linux-image-5.4.0-1124-azure 5.4.0-1124.131~18.04.1
linux-image-azure 5.4.0.1124.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6648-2
https://ubuntu.com/security/notices/USN-6648-1
CVE-2023-51781, CVE-2023-6915, CVE-2024-0565, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1124.131
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXffUEFAwAAAAAACgkQZ0GeRcM5nt1G
YggAmlyry8ofwtCIqVMiQN1hhivsP9uaWB8skrIUloB2IE5s4g7BjQMApprEa2MiCHlySc0vjXXh
vmBN5ODZz8htEFZdjhN6S85K03GW+1QwRn29GAvgn+j2jW4wH3DLXSmhb0VwquulmTGKwMilgbU3
FQi9SyNX3zuaiwvS5ZJCGd1AQJEE3c/izbUmauAZF2nZJOFNHWyGaQ4crehwlqvQGbe1jG+v70KL
eVgPCmN9853jakj9uX/ggCFCy8jiDCqJtz9mFDKhpNiG3RjlMTwQkTnUm02VP9ehznNcClNQzbAt
VUDLXFIg3sQHcoLsFc6GqQQrB+KWY+LYR3fHRR9hmg==
=eBrg
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6648-2
February 28, 2024
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1124-azure 5.4.0-1124.131
linux-image-azure-lts-20.04 5.4.0.1124.117
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
linux-image-5.4.0-1124-azure 5.4.0-1124.131~18.04.1
linux-image-azure 5.4.0.1124.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6648-2
https://ubuntu.com/security/notices/USN-6648-1
CVE-2023-51781, CVE-2023-6915, CVE-2024-0565, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1124.131
[USN-6667-1] Cpanel-JSON-XS vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTNUACgkQZWnYVadE
vpN9dA//QeMtllMext+4xaUeY5MfAQdJx0aWNZDg/WP/DoMFV1co0WWWcg2uZ1dQ
QBu2Dh9ZKOYklPe6HJbjP6eZ4aqVV4bViGHXn5FyyobkWRSBgKrntAK07G/lsWD2
hzx/DLx7Ys4z7WWW7qqMfS+6EYTEEon0xvSdeUk8eOArkznOwwz+Yi5+Zn+zS1ZS
Ol7v4sd97sLQialTr1tbChRXt1vWKciKWUg4JUQpXznpg6DAFDelG8fsPhZGuXie
rU+kVzR5r5pYCNxW5V+7fJj1cm4Jcv9pI3NTcZL8U0tdQeLPKYDACgCThg8eJCNn
D71AipvsBnUo577gktAJXBPlUXRhh7YEuWfyXRdw++fEu1ziimUfzgvOt0l3trmN
s+Of9dLe5RLnv4ClrZ40XeCrZuOtJSu0gRoUhS+O3xS7K8JtGTwzGoI/Iw62MQK2
iidB10xzd3rNFnizdCuCbUc6/wtn5W5rzGU/malog+ZttMNs7CFxDgwoTvSMq+fL
qKCXQJlWax12QWb4WesYZeWfLusvn6byY8AASdxwAy+frmXjU+OLtelV6sVInb6p
AOoaQSbFYqqZmQvIu5wz2wlqHD/vxEuN5UIU7c6HlzFMff+D83wyzykfbg48RTvQ
dMZkr5kei0isxDW8tWQyJW8/8ccO5g0+2kM8towuIF74QlrUa2Y=
=HYiI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6667-1
February 28, 2024
libcpanel-json-xs-perl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Cpanel-JSON-XS could be made to crash or expose information if it
processed specially crafted data.
Software Description:
- libcpanel-json-xs-perl: module for fast and correct serialising to JSON
Details:
It was discovered that Cpanel-JSON-XS incorrectly decoded certain data. A
remote attacker could use this issue to cause Cpanel-JSON-XS to crash,
resulting in a denial of service, or possibly obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libcpanel-json-xs-perl 4.27-1ubuntu0.1
Ubuntu 20.04 LTS:
libcpanel-json-xs-perl 4.19-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6667-1
CVE-2022-48623
Package Information:
https://launchpad.net/ubuntu/+source/libcpanel-json-xs-perl/4.27-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libcpanel-json-xs-perl/4.19-1ubuntu0.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTNUACgkQZWnYVadE
vpN9dA//QeMtllMext+4xaUeY5MfAQdJx0aWNZDg/WP/DoMFV1co0WWWcg2uZ1dQ
QBu2Dh9ZKOYklPe6HJbjP6eZ4aqVV4bViGHXn5FyyobkWRSBgKrntAK07G/lsWD2
hzx/DLx7Ys4z7WWW7qqMfS+6EYTEEon0xvSdeUk8eOArkznOwwz+Yi5+Zn+zS1ZS
Ol7v4sd97sLQialTr1tbChRXt1vWKciKWUg4JUQpXznpg6DAFDelG8fsPhZGuXie
rU+kVzR5r5pYCNxW5V+7fJj1cm4Jcv9pI3NTcZL8U0tdQeLPKYDACgCThg8eJCNn
D71AipvsBnUo577gktAJXBPlUXRhh7YEuWfyXRdw++fEu1ziimUfzgvOt0l3trmN
s+Of9dLe5RLnv4ClrZ40XeCrZuOtJSu0gRoUhS+O3xS7K8JtGTwzGoI/Iw62MQK2
iidB10xzd3rNFnizdCuCbUc6/wtn5W5rzGU/malog+ZttMNs7CFxDgwoTvSMq+fL
qKCXQJlWax12QWb4WesYZeWfLusvn6byY8AASdxwAy+frmXjU+OLtelV6sVInb6p
AOoaQSbFYqqZmQvIu5wz2wlqHD/vxEuN5UIU7c6HlzFMff+D83wyzykfbg48RTvQ
dMZkr5kei0isxDW8tWQyJW8/8ccO5g0+2kM8towuIF74QlrUa2Y=
=HYiI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6667-1
February 28, 2024
libcpanel-json-xs-perl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Cpanel-JSON-XS could be made to crash or expose information if it
processed specially crafted data.
Software Description:
- libcpanel-json-xs-perl: module for fast and correct serialising to JSON
Details:
It was discovered that Cpanel-JSON-XS incorrectly decoded certain data. A
remote attacker could use this issue to cause Cpanel-JSON-XS to crash,
resulting in a denial of service, or possibly obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libcpanel-json-xs-perl 4.27-1ubuntu0.1
Ubuntu 20.04 LTS:
libcpanel-json-xs-perl 4.19-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6667-1
CVE-2022-48623
Package Information:
https://launchpad.net/ubuntu/+source/libcpanel-json-xs-perl/4.27-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libcpanel-json-xs-perl/4.19-1ubuntu0.1
[USN-6668-1] python-openstackclient vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTOsACgkQZWnYVadE
vpNmLhAAiJ/y3ZTiXX+o8AMetsCGAg5frhXmS1XQWeruRbfb3JioUD/68La52hTz
AkAwyEXbdcrizZ5MElgmB7fg0j6afncIaIg/xMsDC85QXbV8pbYdeOj+ovSHIM4s
I9qlsbIbx8Zjb/EHqE6YD+D2odZM1kCv9jALI8pEEOTRfPwppPkv0Ox/P+cadKw6
8qurYR//9RTJPldBnV63lwT7IGEVArt04JoS8dez/wtDyiz4C0Os+Y4gIrSJZUvN
oGtOkY1XasVDjTZ2SenLstE7lxC7+i7+qv6MLMYhot++Z+mM3najA+7wWpjJWf6T
8HdGpIG0Sp930ZPWTTQqdTG7+weTwU7mIMyiesmEFZD8XpmOh0OJWqlOYGtPveeb
MMdDFRm087PenikqxrfuHo3kuv2TZnooQPPfxP0yqrKmfwHZkBmWQzndYNWzZGBd
p3S+3LdbFxRTrJUahhTJ4galWuwI0ZZ09MvuHmexAD7y2aU3g0flbDoBk48lZrq6
jtaROA3nTSl0CZsN2qf/Jhhjrad9zoc8G5BiI1Z5kVWJAiB2EkRiTXpbZ64ifOCL
hnqUBKvR+v22QbvWy0YQKW3FrGJ9hUnlfqer7bGkPWYphywmS8m4F/L0LrvOGXV/
ZodjzLKjoCvizD5mKkoOVGmhvoJ3jV6hTFDcA8OTiMzvC0DQYr0=
=4Xqe
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6668-1
February 28, 2024
python-openstackclient vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
python-openstackclient could delete incorrect access rules.
Software Description:
- python-openstackclient: OpenStack Command-line Client
Details:
It was discovered that when python-openstackclient attempted to delete a
non-existing access rule, it would delete another existing access rule
instead, contrary to expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-openstackclient 5.8.0-0ubuntu1.1
Ubuntu 20.04 LTS:
python3-openstackclient 5.2.0-0ubuntu1.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6668-1
CVE-2023-6110
Package Information:
https://launchpad.net/ubuntu/+source/python-openstackclient/5.8.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/python-openstackclient/5.2.0-0ubuntu1.20.04.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTOsACgkQZWnYVadE
vpNmLhAAiJ/y3ZTiXX+o8AMetsCGAg5frhXmS1XQWeruRbfb3JioUD/68La52hTz
AkAwyEXbdcrizZ5MElgmB7fg0j6afncIaIg/xMsDC85QXbV8pbYdeOj+ovSHIM4s
I9qlsbIbx8Zjb/EHqE6YD+D2odZM1kCv9jALI8pEEOTRfPwppPkv0Ox/P+cadKw6
8qurYR//9RTJPldBnV63lwT7IGEVArt04JoS8dez/wtDyiz4C0Os+Y4gIrSJZUvN
oGtOkY1XasVDjTZ2SenLstE7lxC7+i7+qv6MLMYhot++Z+mM3najA+7wWpjJWf6T
8HdGpIG0Sp930ZPWTTQqdTG7+weTwU7mIMyiesmEFZD8XpmOh0OJWqlOYGtPveeb
MMdDFRm087PenikqxrfuHo3kuv2TZnooQPPfxP0yqrKmfwHZkBmWQzndYNWzZGBd
p3S+3LdbFxRTrJUahhTJ4galWuwI0ZZ09MvuHmexAD7y2aU3g0flbDoBk48lZrq6
jtaROA3nTSl0CZsN2qf/Jhhjrad9zoc8G5BiI1Z5kVWJAiB2EkRiTXpbZ64ifOCL
hnqUBKvR+v22QbvWy0YQKW3FrGJ9hUnlfqer7bGkPWYphywmS8m4F/L0LrvOGXV/
ZodjzLKjoCvizD5mKkoOVGmhvoJ3jV6hTFDcA8OTiMzvC0DQYr0=
=4Xqe
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6668-1
February 28, 2024
python-openstackclient vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
python-openstackclient could delete incorrect access rules.
Software Description:
- python-openstackclient: OpenStack Command-line Client
Details:
It was discovered that when python-openstackclient attempted to delete a
non-existing access rule, it would delete another existing access rule
instead, contrary to expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-openstackclient 5.8.0-0ubuntu1.1
Ubuntu 20.04 LTS:
python3-openstackclient 5.2.0-0ubuntu1.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6668-1
CVE-2023-6110
Package Information:
https://launchpad.net/ubuntu/+source/python-openstackclient/5.8.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/python-openstackclient/5.2.0-0ubuntu1.20.04.2
[USN-6666-1] libuv vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTL0ACgkQZWnYVadE
vpPs4xAAkgs/TqTgt2hWYV9wh+kf1WLdVB51qbJMffZ4myA+rx9WPNSq16Ww6zQ9
/IT8VcceamDFrDxLAVvCWxJ9MZImp4QWNfuDBaOm3k6XioZcjGLZS3bnbSoeOe/Z
9xJUf535qvORTzwPJi9OulBigCjZNt1gmPsE8HDg3lvPOrU71zX6/5UtMywfsYNJ
spyHMhH5VzU/daWrfnn6jATDEB2tNkcirkidIUP8cwzQ2yCCklvArbGjHqviF66/
Njlo5zfVVjBPTBZIQ6zM43M4yTdv/pFC3Lw3WljrEzKS5I7YUAPl77n0CSoYgcKR
yLcTlqnFRZJxRx5xTRKma1LRFxmVr5WJrLUBX0BagMTwPl1gyZeOBpE856Oum7pt
qfo7WKsJJk5kSc6bWI+CnSuaoR8QThdC4V26rq+WRrjhOVM+CReVVJuU39mewWHq
4ftYNaTqS1JxeLuAj0MYHINShtbj7yDm0Belt6HnQXl8W38IcZRHOjkPum6+tBNm
uRQ5Ey3Bg7G8vGO3EBFCC2AaPW3dwASqRnxGlHh6SXPnkJK4We9SQ8gCLxdMbbc/
XkQfhnqlncBDdlav/wSqH7u3pytY+L93GmmGILH4zBdmtZXYrmn3YB5IC0OVENCe
zCDXD7WZrwLIxq5ZvdViaPdwx8KgwzTcEdciAlVacCXxbQl9uLA=
=HvPX
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6666-1
February 28, 2024
libuv1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libuv could be made to truncate certain hostnames.
Software Description:
- libuv1: asynchronous event notification library
Details:
It was discovered that libuv incorrectly truncated certain hostnames. A
remote attacker could possibly use this issue with specially crafted
hostnames to bypass certain checks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libuv1 1.44.2-1ubuntu0.1
Ubuntu 22.04 LTS:
libuv1 1.43.0-1ubuntu0.1
Ubuntu 20.04 LTS:
libuv1 1.34.2-1ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6666-1
CVE-2024-24806
Package Information:
https://launchpad.net/ubuntu/+source/libuv1/1.44.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libuv1/1.43.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libuv1/1.34.2-1ubuntu1.5
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTL0ACgkQZWnYVadE
vpPs4xAAkgs/TqTgt2hWYV9wh+kf1WLdVB51qbJMffZ4myA+rx9WPNSq16Ww6zQ9
/IT8VcceamDFrDxLAVvCWxJ9MZImp4QWNfuDBaOm3k6XioZcjGLZS3bnbSoeOe/Z
9xJUf535qvORTzwPJi9OulBigCjZNt1gmPsE8HDg3lvPOrU71zX6/5UtMywfsYNJ
spyHMhH5VzU/daWrfnn6jATDEB2tNkcirkidIUP8cwzQ2yCCklvArbGjHqviF66/
Njlo5zfVVjBPTBZIQ6zM43M4yTdv/pFC3Lw3WljrEzKS5I7YUAPl77n0CSoYgcKR
yLcTlqnFRZJxRx5xTRKma1LRFxmVr5WJrLUBX0BagMTwPl1gyZeOBpE856Oum7pt
qfo7WKsJJk5kSc6bWI+CnSuaoR8QThdC4V26rq+WRrjhOVM+CReVVJuU39mewWHq
4ftYNaTqS1JxeLuAj0MYHINShtbj7yDm0Belt6HnQXl8W38IcZRHOjkPum6+tBNm
uRQ5Ey3Bg7G8vGO3EBFCC2AaPW3dwASqRnxGlHh6SXPnkJK4We9SQ8gCLxdMbbc/
XkQfhnqlncBDdlav/wSqH7u3pytY+L93GmmGILH4zBdmtZXYrmn3YB5IC0OVENCe
zCDXD7WZrwLIxq5ZvdViaPdwx8KgwzTcEdciAlVacCXxbQl9uLA=
=HvPX
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6666-1
February 28, 2024
libuv1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libuv could be made to truncate certain hostnames.
Software Description:
- libuv1: asynchronous event notification library
Details:
It was discovered that libuv incorrectly truncated certain hostnames. A
remote attacker could possibly use this issue with specially crafted
hostnames to bypass certain checks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libuv1 1.44.2-1ubuntu0.1
Ubuntu 22.04 LTS:
libuv1 1.43.0-1ubuntu0.1
Ubuntu 20.04 LTS:
libuv1 1.34.2-1ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6666-1
CVE-2024-24806
Package Information:
https://launchpad.net/ubuntu/+source/libuv1/1.44.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libuv1/1.43.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libuv1/1.34.2-1ubuntu1.5
[USN-6665-1] Unbound vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTKIACgkQZWnYVadE
vpMrFRAApS4ilE2Mzb48Rn5MeMSLZIdfWHfz9Uvaw5iA7lBCVsBtck2d5nQk5utn
+1nKPqAPGAO8xZd1YT5nVAFsfH73uT4C5pEBXN6rlt+x4C9Z8ocKNf3oSeAOZaIQ
EkegoH9zxW1/Sa+i4R6mruCR778F2R5RKNpp0tZEL0GYnOVPN34pjF4CeLleFwAt
ZyldFOHkjIFQEGonq+pu/Lk6NbEjXt6x9MGFYO5LybXVaagCYXLZqPzBkpMtHlxV
+AtWw9qni+fLy033zM4YpPs574Yr+EUePI2r/GT+PFtzuhhROqwltIWCTblVjoLO
ZaAPIql//5e5jmH2lSaKBWTvOL1cEdzKBgRWiUt4v+17YBqQDFmbFtQCaqrTIliu
8MMid+iWFKqqL5pdrKxqk8ncNcEKk++5eC6H1j7N6O2hsEj9TfdLtZkzOGgMJAK8
u7CRMKfxOTJdUJmccVWbJKERBwEuLulK/AU3uWu7676kZTOWyWwBcMbwU3N7f4ht
/TBgWky5T5VCcobbtrWlY+i6pHEF8izdBV18aN8d8psdgJoqu7Y0kJp+b1L3Ah62
uAulVKNsl4/d6B7wTirh89ykD9BXkJGXZLU118N8fmHJhmbmy+cUYX2/XN/g2xWz
FGEuSxDhz5QFyszU3aIJ1Rw0dGJOQsQTwvc8LRMxOND0R46uE54=
=6ae6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6665-1
February 28, 2024
unbound vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Unbound.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Unbound incorrectly handled validating DNSSEC messages. A remote
attacker could possibly use this issue to cause Unbound to consume
resources, leading to a denial of service. (CVE-2023-50387)
It was discovered that Unbound incorrectly handled preparing an NSEC3
closest encloser proof. A remote attacker could possibly use this issue to
cause Unbound to consume resources, leading to a denial of service.
(CVE-2023-50868)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libunbound8 1.17.1-2ubuntu0.1
unbound 1.17.1-2ubuntu0.1
Ubuntu 22.04 LTS:
libunbound8 1.13.1-1ubuntu5.4
unbound 1.13.1-1ubuntu5.4
Ubuntu 20.04 LTS:
libunbound8 1.9.4-2ubuntu1.5
unbound 1.9.4-2ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6665-1
CVE-2023-50387, CVE-2023-50868
Package Information:
https://launchpad.net/ubuntu/+source/unbound/1.17.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.4
https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.5
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXfTKIACgkQZWnYVadE
vpMrFRAApS4ilE2Mzb48Rn5MeMSLZIdfWHfz9Uvaw5iA7lBCVsBtck2d5nQk5utn
+1nKPqAPGAO8xZd1YT5nVAFsfH73uT4C5pEBXN6rlt+x4C9Z8ocKNf3oSeAOZaIQ
EkegoH9zxW1/Sa+i4R6mruCR778F2R5RKNpp0tZEL0GYnOVPN34pjF4CeLleFwAt
ZyldFOHkjIFQEGonq+pu/Lk6NbEjXt6x9MGFYO5LybXVaagCYXLZqPzBkpMtHlxV
+AtWw9qni+fLy033zM4YpPs574Yr+EUePI2r/GT+PFtzuhhROqwltIWCTblVjoLO
ZaAPIql//5e5jmH2lSaKBWTvOL1cEdzKBgRWiUt4v+17YBqQDFmbFtQCaqrTIliu
8MMid+iWFKqqL5pdrKxqk8ncNcEKk++5eC6H1j7N6O2hsEj9TfdLtZkzOGgMJAK8
u7CRMKfxOTJdUJmccVWbJKERBwEuLulK/AU3uWu7676kZTOWyWwBcMbwU3N7f4ht
/TBgWky5T5VCcobbtrWlY+i6pHEF8izdBV18aN8d8psdgJoqu7Y0kJp+b1L3Ah62
uAulVKNsl4/d6B7wTirh89ykD9BXkJGXZLU118N8fmHJhmbmy+cUYX2/XN/g2xWz
FGEuSxDhz5QFyszU3aIJ1Rw0dGJOQsQTwvc8LRMxOND0R46uE54=
=6ae6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6665-1
February 28, 2024
unbound vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Unbound.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Unbound incorrectly handled validating DNSSEC messages. A remote
attacker could possibly use this issue to cause Unbound to consume
resources, leading to a denial of service. (CVE-2023-50387)
It was discovered that Unbound incorrectly handled preparing an NSEC3
closest encloser proof. A remote attacker could possibly use this issue to
cause Unbound to consume resources, leading to a denial of service.
(CVE-2023-50868)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libunbound8 1.17.1-2ubuntu0.1
unbound 1.17.1-2ubuntu0.1
Ubuntu 22.04 LTS:
libunbound8 1.13.1-1ubuntu5.4
unbound 1.13.1-1ubuntu5.4
Ubuntu 20.04 LTS:
libunbound8 1.9.4-2ubuntu1.5
unbound 1.9.4-2ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6665-1
CVE-2023-50387, CVE-2023-50868
Package Information:
https://launchpad.net/ubuntu/+source/unbound/1.17.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.4
https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.5
Tuesday, February 27, 2024
[USN-6644-2] LibTIFF vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXePaQFAwAAAAAACgkQZ0GeRcM5nt3r
DAf/QJz6KOei8PBqHONE1VcsBY05CEtGS7GrURkOi1tjkTtJbkxnHCCvCzZCzBuqpdZerciDthk3
ue2CAGn5hPgOze63iHRcPTqcnQaWdHRMQN8lgtsyXSeSrK0cCknkL6b8CrSre9CjkOef862/HVSf
gufzriRCbR6kODnK9T0zNLFEAiVO81qP5mjIOhMC//xr6xedvgMTm9XezLkvi/s7qMdfRZZaS50F
ld97wpd71wdEViTOE0mYu/xA+ANcCHtOvKTU2KP2PK6HO0cypUnSSGBytAfCCFhwYmdq/39s1zBZ
tz1ac0WDvMdUfIF3a+gUnXMlqKi2pMhapeZvjLnKqg==
=WlQQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6644-2
February 27, 2024
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
USN-6644-1 fixed vulnerabilities in LibTIFF.
This update provides the corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
It was discovered that LibTIFF incorrectly handled certain files. If
a user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the application to crash, resulting
in a denial of service. (CVE-2023-52356)
It was discovered that LibTIFF incorrectly handled certain image files
with the tiffcp utility. If a user were tricked into opening a specially
crafted image file, an attacker could possibly use this issue to cause
tiffcp to crash, resulting in a denial of service. (CVE-2023-6228)
It was discovered that LibTIFF incorrectly handled certain files. If
a user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the application to consume
resources, resulting in a denial of service. (CVE-2023-6277)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libtiff-tools 4.3.0-6ubuntu0.8
libtiff5 4.3.0-6ubuntu0.8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6644-2
https://ubuntu.com/security/notices/USN-6644-1
CVE-2023-52356, CVE-2023-6228, CVE-2023-6277
Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.8
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXePaQFAwAAAAAACgkQZ0GeRcM5nt3r
DAf/QJz6KOei8PBqHONE1VcsBY05CEtGS7GrURkOi1tjkTtJbkxnHCCvCzZCzBuqpdZerciDthk3
ue2CAGn5hPgOze63iHRcPTqcnQaWdHRMQN8lgtsyXSeSrK0cCknkL6b8CrSre9CjkOef862/HVSf
gufzriRCbR6kODnK9T0zNLFEAiVO81qP5mjIOhMC//xr6xedvgMTm9XezLkvi/s7qMdfRZZaS50F
ld97wpd71wdEViTOE0mYu/xA+ANcCHtOvKTU2KP2PK6HO0cypUnSSGBytAfCCFhwYmdq/39s1zBZ
tz1ac0WDvMdUfIF3a+gUnXMlqKi2pMhapeZvjLnKqg==
=WlQQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6644-2
February 27, 2024
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
USN-6644-1 fixed vulnerabilities in LibTIFF.
This update provides the corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
It was discovered that LibTIFF incorrectly handled certain files. If
a user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the application to crash, resulting
in a denial of service. (CVE-2023-52356)
It was discovered that LibTIFF incorrectly handled certain image files
with the tiffcp utility. If a user were tricked into opening a specially
crafted image file, an attacker could possibly use this issue to cause
tiffcp to crash, resulting in a denial of service. (CVE-2023-6228)
It was discovered that LibTIFF incorrectly handled certain files. If
a user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the application to consume
resources, resulting in a denial of service. (CVE-2023-6277)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libtiff-tools 4.3.0-6ubuntu0.8
libtiff5 4.3.0-6ubuntu0.8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6644-2
https://ubuntu.com/security/notices/USN-6644-1
CVE-2023-52356, CVE-2023-6228, CVE-2023-6277
Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.8
[USN-6664-1] less vulnerability
==========================================================================
Ubuntu Security Notice USN-6664-1
February 27, 2024
less vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
less could be made to crash or run arbitrary commands if it receive
a crafted input.
Software Description:
- less: pager program similar to more
Details:
It was discovered that less incorrectly handled certain file names.
An attacker could possibly use this issue to cause a crash or execute
arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
less 590-2ubuntu0.23.10.1
Ubuntu 22.04 LTS:
less 590-1ubuntu0.22.04.2
Ubuntu 20.04 LTS:
less 551-1ubuntu0.2
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
less 487-0.1ubuntu0.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
less 481-2.1ubuntu0.2+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6664-1
CVE-2022-48624
Package Information:
https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.2
Ubuntu Security Notice USN-6664-1
February 27, 2024
less vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
less could be made to crash or run arbitrary commands if it receive
a crafted input.
Software Description:
- less: pager program similar to more
Details:
It was discovered that less incorrectly handled certain file names.
An attacker could possibly use this issue to cause a crash or execute
arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
less 590-2ubuntu0.23.10.1
Ubuntu 22.04 LTS:
less 590-1ubuntu0.22.04.2
Ubuntu 20.04 LTS:
less 551-1ubuntu0.2
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
less 487-0.1ubuntu0.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
less 481-2.1ubuntu0.2+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6664-1
CVE-2022-48624
Package Information:
https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.2
Fedora Linux 40 Bodhi updates-testing activation & Beta freeze
Hi all,
Today's an important day on the Fedora Linux f40 schedule [1], with
several significant cut-offs. First of all, today is the Bodhi
updates-testing activation point [2]. That means that from now all
Fedora Linux 40 packages must be submitted to updates-testing and pass
the relevant requirements [3] before they will be marked as 'stable' and
moved to the Fedora Repository.
Today is also the Beta freeze [4]. This means that only packages which
fix accepted blocker or freeze exception bugs [5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain in
updates-testing until the Beta release is approved, at which point the
Beta freeze is lifted and packages can move to 'stable' as usual until
the Final freeze.
Today is also the Software String freeze [7], which means that strings
marked for translation in Fedora-translated projects should not now be
changed for Fedora Linux 40.
Finally, today is the 'completion deadline' Change Checkpoint [8],
meaning that Fedora Linux f40 Changes must now be 'feature complete or
close enough to completion that a majority of its functionality can be
tested'. All tracking bugs should be on ON_QA state or later to reflect
this.
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-40/f-40-key-tasks.html
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
[8] https://fedoraproject.org/wiki/Changes/Policy
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Today's an important day on the Fedora Linux f40 schedule [1], with
several significant cut-offs. First of all, today is the Bodhi
updates-testing activation point [2]. That means that from now all
Fedora Linux 40 packages must be submitted to updates-testing and pass
the relevant requirements [3] before they will be marked as 'stable' and
moved to the Fedora Repository.
Today is also the Beta freeze [4]. This means that only packages which
fix accepted blocker or freeze exception bugs [5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain in
updates-testing until the Beta release is approved, at which point the
Beta freeze is lifted and packages can move to 'stable' as usual until
the Final freeze.
Today is also the Software String freeze [7], which means that strings
marked for translation in Fedora-translated projects should not now be
changed for Fedora Linux 40.
Finally, today is the 'completion deadline' Change Checkpoint [8],
meaning that Fedora Linux f40 Changes must now be 'feature complete or
close enough to completion that a majority of its functionality can be
tested'. All tracking bugs should be on ON_QA state or later to reflect
this.
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-40/f-40-key-tasks.html
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
[8] https://fedoraproject.org/wiki/Changes/Policy
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-6663-1] OpenSSL update
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBGT1vF8BEAC2w6Af0VgaEvUzWv6T0qj98y+DqoSm76w3SdXg1rTgR/pX3a9c
tlfnoCZcyeSf+ttUnkha9vyzFfhz0u5IFDehqadQyfBCxemeEA+b1KBhSMGpiuRd
KMwOggQObp7oGdjImQRDT2CfQOWg1KsVk2o4lIuYZNcg8BWSyVlKxXEJ+hKmeDmO
P53rzY7l/gSHaeJ2bpYY5dCw0OLVLb/3QdrPthvYg4zvGzgvVwEKGsocADboqFYk
GuffEuYe1DYOCXbAx6Q59ZP/V7IlIFE9kiUpOAAAf6r/qkVBm3Zj4DtTuTMipsdJ
A6cQvvuMx9Qm37u7fOhosdNczZ2Zt38bLu9Gz2oL9mG0YBCe8Qfgf+pXLc6BKOLB
dwymVtV43cz7vlDOhRojWpsVxggV1FecjJ+cdP4FWAusE11ST60pY/W+y61MLzfs
qy3O3MIoQjXBaEGGTtPiEpVeZL+1v8aJuB5sJLAj56OmgSpcc7NqBHwUgjoeMA4y
87utHUSr4II/Ay1H4xOEZoCE+vIC61G32TwTco3WMhtISSOnRZHsc6GRuBeVr5fq
xEvmmo8lG+u5IgDpakbC/OpDxzemCiYJWCiUgF7X7VnlLLBVyxUMv9P1edursuk1
E2W5sl7RYIiPos23YU/Q66rER/egPX6YmsAr38FcqGYh9ZOauSfmKQ0pDwARAQAB
zVVEYXZpZCBGZXJuYW5kZXogR29uemFsZXogKFNpZ24gKyBlbmNyeXB0IGtleSkg
PGRhdmlkLmZlcm5hbmRlemdvbnphbGV6QGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELi4vmPVwZWdpuqdqlvdwxzm8Ws4FAmT1vF8CGwMFCQICKQAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQlvdwxzm8Ws5bUBAAkWPMosnc2/qqCyLSxkO5ACoT
p527SNCSJU0oQqHghxa7dLQr4NrjMsiNIR3GzVl+IeOR3BvIIwGl3VwQ110dAegX
kQ7jSq6k5bMT9UWJ5O6ju47cxQ1QzYwp5xD1rel8CPouvHHoqIGF0IWB74/BDPRK
7HPsip0P/mQFDaqm/lfxJXE9ZX/nsrqfzQpPMMyChXQbkMYr3Nw5j5AiOwHIZX2c
NksAiziNhzqjK5zPRYLIAwMuFgSyAOoBQamclRbPSNEV5A4D+jOflFy4II636ZEh
gs8+e8ggMb4tCofgolHLOzgzOReClVed6jegQI3rU/YFiyA8oC5pEnTk3qnc6Uzd
Fsrmh8nj2sSElcIf6HL2AITyzbja6MHSbNa5yoVqePQNZySYn+odOHA5TETR8U1p
KGs5oNQvMvWIW+o8t8m+di/a3vwzl9M4HnwCAM513qnv5Bqt/qucedCSFNQvf0Xs
f+2YxWckYC6w0QjJyvR22zYrhd4K87rr6HTu+qeonnivU1ePSc6SMEbvHS8uWgh0
nN+qCxkh4UzqBL2qnkRxB3VGF1peLGPjefmIkGt236B9/xkEcSOD7ZHz9xa00jQx
3tDLTHnelsLvk8gnIaBku0cnMtCo5DUyOH04pKif7uhbPLkNbEy4zyD9ga2hoX5R
gkeELpyDEi6bhMs66z/OwU0EZPW8XwEQAM/loHx2tM4KYXFBrQmsaFlOHFHTrj80
hMWDM4KEXo9+ufaXZnoJFAjo4Dmh+MT4Xcfs1ooowoWlik6nDQ6DwYtk237YwK/f
s4H/SbZ/p3uwdN+vCcXcQm5lUf927iVALCE9jJBwZrfr5EA808elZZzQSCT05lMm
lnHICso+l1qjysReXb6mzFqGGvgRtU9HnvkFKW8dx4W/++VVSJP7tf2aKVcpyWj4
GrS8I+4S6RYDMlUGNky1/fZWZsuJPv0Prv6NqhS/8QbwpI3b0RwK//ZF7ur8KIHE
+fiA8weqxHGQG0pAOZNgCjc5YF9sz4ooMZMhQHKVRknNVcGng6HORaZJkKtZKRHd
kCDo0DrQLiKmlKo8DkZozv9YFVxyoYESAfcxLhnKiaRT/RE6QLt85VUItPl8lEQh
1erCt74VG5UoIW+sE5Lz/xAjwPMK5XUwIZJJHEp/RVRqMzyxoqM0vIexS+CfFn0X
0Ayew3oEL4oguF4NJRb609I25tKFQU/b+AiTvA2DkiZ1hH5yk6kgg4VS21czCDJB
5UoZ8FgGdSP/PN8DQZ50X0A1x2VO83Pje5FhlEUKVs2eKbb48989RNCcYNwHy2lY
Ch3o4HzfS+Zhf2lgljoNJrj/rsSGanMFCmLcLZqQWaNN3I3suuDBr8IZJJiKP/SE
OyoV3lWFnQGhABEBAAHCwXwEGAEKACYWIQQuLi+Y9XBlZ2m6p2qW93DHObxazgUC
ZPW8XwIbDAUJAgIpAAAKCRCW93DHObxazqt5D/938SB3G2m5LzR5aYgBpn3C5arg
O3QO0JHsmzXXzCRZ0f8hPVZPNiuii3UwTX4v4eDcgi8MZnaEmxG0vQosal28Yd6f
jJdwNUv74K68N7xB5kAlwC/jONbAeSmod3EwUq8vKINseV/IzBux/uX3CBwvDpGi
a6v/h0EzuF5HQjguvu7/JSuVxP6y0aJ4gECmOJQMtppSlFBXzD5U6E2X6v6zHvqY
tkgwn00Y9J+V60+vncxAGfSJtcLOceAY2rEmj1bl8rhRCTcacImyh0HKfIST+v9o
Jx+opSyHo1RjhwcbmSoc3U5CGZx+y05H/WceQgett5qOZAGUDZhprTt+j/+scrAR
zZf0zzlpkao8UoergBMYc8iTmJ54/iQSxrk1WjS7OecP45oV7fwBNkQZeZuPITnD
0VP/RPpjd4Qz6eDWaccZPCrS785I0Onylygn5aOktDPU3eOmEhrHMuG+JSjfVqbi
m7jVqPFjWg3Loprmpwa1CGd2039Pa/jWfwh0bxsosSdf09kVj+UvlH4Y85Ve57LU
q9U+cpekCs/VZdL277tiMA2uFvQDSepwmQdBUYxkJSffVfK/cJhzZdY0FjsiVySl
kLVKxp9HzWMCMKaIqdXE+4STZz8/FAE8e3yuEbsXs/pmEtR0MZa8pBwmOvN5CSvG
u/zTgENjjv+UNmNeRA==
=IEGB
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE4I1aChuaH07AdH+adlTpHiRAJW0FAmXd2FEACgkQdlTpHiRA
JW2Dxg//UsWFYz7nbDsabxJ1dz4MhAm97QHX+KM5vgHN/bMG8cEiTqw9kbqbi4kD
CXlDZj1dEJzpn6K2iKi37nEiCGmaRtUFLHarn1kaVjpURTZodBDiMX8QGdYNZeuf
io4hhDbwKHk+4YQZ/cyHCDrMuOIpmdMQKsiPe6pmuW0IvecXz9vkETsPIBUTC5dj
uxQcgxfkZRuE4ApHlq3+CQBzodHNryN+oj+94YqD8Z2+iZqq74SSnhPT21UTqQqy
/RR3/p7PmBAFRu141Y4lf8rWxUIkZAS49BMLcDdR+RwO7U427oby+dA0mj3GyZBh
9zskJ9pqruvHcQEHZGuQI3Q3RoRKV2mslpIDqIqySkrj4VsTKpo9vQ8rgdaoWDTC
IWIomM8a7Wjl+Y7gdNiw6eU9F4hAiKqfkpyEzh0yETiUWxiOFGhI8yDWnNx4tJHm
jlAu9zC6VsM+eYegHDVmzv4/7pw1DECGMVEkJ/Tk+R1Tf2/XU9h9HyyeEz7HPH1p
TU5mC+T+AnR56kMp0XP7GVAibGdqInXg7aOeazdNEVhOVBTfYZd/VOtyFwGSwRKY
9TElk6/0A0KAxpTWTS+fkv9nmWSX6q3KJebPbBv3swq3iYILHZHsAyEQ8cwtHjMj
WWV0xw9eZ4iKCwRA0aVFYGTcuO3D4cJpdCaq5jz/epHgRri7wro=
=CjRN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6663-1
February 27, 2024
openssl update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Add implicit rejection in PKCS#1 v1.5 in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
As a security improvement, this update prevents OpenSSL
from returning an error when detecting wrong padding
in PKCS#1 v1.5 RSA, to prevent its use in possible
Bleichenbacher timing attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libssl-doc 3.0.10-1ubuntu2.3
libssl3 3.0.10-1ubuntu2.3
openssl 3.0.10-1ubuntu2.3
Ubuntu 22.04 LTS:
libssl-doc 3.0.2-0ubuntu1.15
libssl3 3.0.2-0ubuntu1.15
openssl 3.0.2-0ubuntu1.15
Ubuntu 20.04 LTS:
libssl-doc 1.1.1f-1ubuntu2.22
libssl1.1 1.1.1f-1ubuntu2.22
openssl 1.1.1f-1ubuntu2.22
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libssl-doc 1.1.1-1ubuntu2.1~18.04.23+esm5
libssl1.1 1.1.1-1ubuntu2.1~18.04.23+esm5
openssl 1.1.1-1ubuntu2.1~18.04.23+esm5
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6663-1
https://launchpad.net/bugs/2054090
Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.10-1ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.15
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.22
xsFNBGT1vF8BEAC2w6Af0VgaEvUzWv6T0qj98y+DqoSm76w3SdXg1rTgR/pX3a9c
tlfnoCZcyeSf+ttUnkha9vyzFfhz0u5IFDehqadQyfBCxemeEA+b1KBhSMGpiuRd
KMwOggQObp7oGdjImQRDT2CfQOWg1KsVk2o4lIuYZNcg8BWSyVlKxXEJ+hKmeDmO
P53rzY7l/gSHaeJ2bpYY5dCw0OLVLb/3QdrPthvYg4zvGzgvVwEKGsocADboqFYk
GuffEuYe1DYOCXbAx6Q59ZP/V7IlIFE9kiUpOAAAf6r/qkVBm3Zj4DtTuTMipsdJ
A6cQvvuMx9Qm37u7fOhosdNczZ2Zt38bLu9Gz2oL9mG0YBCe8Qfgf+pXLc6BKOLB
dwymVtV43cz7vlDOhRojWpsVxggV1FecjJ+cdP4FWAusE11ST60pY/W+y61MLzfs
qy3O3MIoQjXBaEGGTtPiEpVeZL+1v8aJuB5sJLAj56OmgSpcc7NqBHwUgjoeMA4y
87utHUSr4II/Ay1H4xOEZoCE+vIC61G32TwTco3WMhtISSOnRZHsc6GRuBeVr5fq
xEvmmo8lG+u5IgDpakbC/OpDxzemCiYJWCiUgF7X7VnlLLBVyxUMv9P1edursuk1
E2W5sl7RYIiPos23YU/Q66rER/egPX6YmsAr38FcqGYh9ZOauSfmKQ0pDwARAQAB
zVVEYXZpZCBGZXJuYW5kZXogR29uemFsZXogKFNpZ24gKyBlbmNyeXB0IGtleSkg
PGRhdmlkLmZlcm5hbmRlemdvbnphbGV6QGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELi4vmPVwZWdpuqdqlvdwxzm8Ws4FAmT1vF8CGwMFCQICKQAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQlvdwxzm8Ws5bUBAAkWPMosnc2/qqCyLSxkO5ACoT
p527SNCSJU0oQqHghxa7dLQr4NrjMsiNIR3GzVl+IeOR3BvIIwGl3VwQ110dAegX
kQ7jSq6k5bMT9UWJ5O6ju47cxQ1QzYwp5xD1rel8CPouvHHoqIGF0IWB74/BDPRK
7HPsip0P/mQFDaqm/lfxJXE9ZX/nsrqfzQpPMMyChXQbkMYr3Nw5j5AiOwHIZX2c
NksAiziNhzqjK5zPRYLIAwMuFgSyAOoBQamclRbPSNEV5A4D+jOflFy4II636ZEh
gs8+e8ggMb4tCofgolHLOzgzOReClVed6jegQI3rU/YFiyA8oC5pEnTk3qnc6Uzd
Fsrmh8nj2sSElcIf6HL2AITyzbja6MHSbNa5yoVqePQNZySYn+odOHA5TETR8U1p
KGs5oNQvMvWIW+o8t8m+di/a3vwzl9M4HnwCAM513qnv5Bqt/qucedCSFNQvf0Xs
f+2YxWckYC6w0QjJyvR22zYrhd4K87rr6HTu+qeonnivU1ePSc6SMEbvHS8uWgh0
nN+qCxkh4UzqBL2qnkRxB3VGF1peLGPjefmIkGt236B9/xkEcSOD7ZHz9xa00jQx
3tDLTHnelsLvk8gnIaBku0cnMtCo5DUyOH04pKif7uhbPLkNbEy4zyD9ga2hoX5R
gkeELpyDEi6bhMs66z/OwU0EZPW8XwEQAM/loHx2tM4KYXFBrQmsaFlOHFHTrj80
hMWDM4KEXo9+ufaXZnoJFAjo4Dmh+MT4Xcfs1ooowoWlik6nDQ6DwYtk237YwK/f
s4H/SbZ/p3uwdN+vCcXcQm5lUf927iVALCE9jJBwZrfr5EA808elZZzQSCT05lMm
lnHICso+l1qjysReXb6mzFqGGvgRtU9HnvkFKW8dx4W/++VVSJP7tf2aKVcpyWj4
GrS8I+4S6RYDMlUGNky1/fZWZsuJPv0Prv6NqhS/8QbwpI3b0RwK//ZF7ur8KIHE
+fiA8weqxHGQG0pAOZNgCjc5YF9sz4ooMZMhQHKVRknNVcGng6HORaZJkKtZKRHd
kCDo0DrQLiKmlKo8DkZozv9YFVxyoYESAfcxLhnKiaRT/RE6QLt85VUItPl8lEQh
1erCt74VG5UoIW+sE5Lz/xAjwPMK5XUwIZJJHEp/RVRqMzyxoqM0vIexS+CfFn0X
0Ayew3oEL4oguF4NJRb609I25tKFQU/b+AiTvA2DkiZ1hH5yk6kgg4VS21czCDJB
5UoZ8FgGdSP/PN8DQZ50X0A1x2VO83Pje5FhlEUKVs2eKbb48989RNCcYNwHy2lY
Ch3o4HzfS+Zhf2lgljoNJrj/rsSGanMFCmLcLZqQWaNN3I3suuDBr8IZJJiKP/SE
OyoV3lWFnQGhABEBAAHCwXwEGAEKACYWIQQuLi+Y9XBlZ2m6p2qW93DHObxazgUC
ZPW8XwIbDAUJAgIpAAAKCRCW93DHObxazqt5D/938SB3G2m5LzR5aYgBpn3C5arg
O3QO0JHsmzXXzCRZ0f8hPVZPNiuii3UwTX4v4eDcgi8MZnaEmxG0vQosal28Yd6f
jJdwNUv74K68N7xB5kAlwC/jONbAeSmod3EwUq8vKINseV/IzBux/uX3CBwvDpGi
a6v/h0EzuF5HQjguvu7/JSuVxP6y0aJ4gECmOJQMtppSlFBXzD5U6E2X6v6zHvqY
tkgwn00Y9J+V60+vncxAGfSJtcLOceAY2rEmj1bl8rhRCTcacImyh0HKfIST+v9o
Jx+opSyHo1RjhwcbmSoc3U5CGZx+y05H/WceQgett5qOZAGUDZhprTt+j/+scrAR
zZf0zzlpkao8UoergBMYc8iTmJ54/iQSxrk1WjS7OecP45oV7fwBNkQZeZuPITnD
0VP/RPpjd4Qz6eDWaccZPCrS785I0Onylygn5aOktDPU3eOmEhrHMuG+JSjfVqbi
m7jVqPFjWg3Loprmpwa1CGd2039Pa/jWfwh0bxsosSdf09kVj+UvlH4Y85Ve57LU
q9U+cpekCs/VZdL277tiMA2uFvQDSepwmQdBUYxkJSffVfK/cJhzZdY0FjsiVySl
kLVKxp9HzWMCMKaIqdXE+4STZz8/FAE8e3yuEbsXs/pmEtR0MZa8pBwmOvN5CSvG
u/zTgENjjv+UNmNeRA==
=IEGB
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE4I1aChuaH07AdH+adlTpHiRAJW0FAmXd2FEACgkQdlTpHiRA
JW2Dxg//UsWFYz7nbDsabxJ1dz4MhAm97QHX+KM5vgHN/bMG8cEiTqw9kbqbi4kD
CXlDZj1dEJzpn6K2iKi37nEiCGmaRtUFLHarn1kaVjpURTZodBDiMX8QGdYNZeuf
io4hhDbwKHk+4YQZ/cyHCDrMuOIpmdMQKsiPe6pmuW0IvecXz9vkETsPIBUTC5dj
uxQcgxfkZRuE4ApHlq3+CQBzodHNryN+oj+94YqD8Z2+iZqq74SSnhPT21UTqQqy
/RR3/p7PmBAFRu141Y4lf8rWxUIkZAS49BMLcDdR+RwO7U427oby+dA0mj3GyZBh
9zskJ9pqruvHcQEHZGuQI3Q3RoRKV2mslpIDqIqySkrj4VsTKpo9vQ8rgdaoWDTC
IWIomM8a7Wjl+Y7gdNiw6eU9F4hAiKqfkpyEzh0yETiUWxiOFGhI8yDWnNx4tJHm
jlAu9zC6VsM+eYegHDVmzv4/7pw1DECGMVEkJ/Tk+R1Tf2/XU9h9HyyeEz7HPH1p
TU5mC+T+AnR56kMp0XP7GVAibGdqInXg7aOeazdNEVhOVBTfYZd/VOtyFwGSwRKY
9TElk6/0A0KAxpTWTS+fkv9nmWSX6q3KJebPbBv3swq3iYILHZHsAyEQ8cwtHjMj
WWV0xw9eZ4iKCwRA0aVFYGTcuO3D4cJpdCaq5jz/epHgRri7wro=
=CjRN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6663-1
February 27, 2024
openssl update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Add implicit rejection in PKCS#1 v1.5 in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
As a security improvement, this update prevents OpenSSL
from returning an error when detecting wrong padding
in PKCS#1 v1.5 RSA, to prevent its use in possible
Bleichenbacher timing attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libssl-doc 3.0.10-1ubuntu2.3
libssl3 3.0.10-1ubuntu2.3
openssl 3.0.10-1ubuntu2.3
Ubuntu 22.04 LTS:
libssl-doc 3.0.2-0ubuntu1.15
libssl3 3.0.2-0ubuntu1.15
openssl 3.0.2-0ubuntu1.15
Ubuntu 20.04 LTS:
libssl-doc 1.1.1f-1ubuntu2.22
libssl1.1 1.1.1f-1ubuntu2.22
openssl 1.1.1f-1ubuntu2.22
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libssl-doc 1.1.1-1ubuntu2.1~18.04.23+esm5
libssl1.1 1.1.1-1ubuntu2.1~18.04.23+esm5
openssl 1.1.1-1ubuntu2.1~18.04.23+esm5
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6663-1
https://launchpad.net/bugs/2054090
Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.10-1ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.15
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.22
[USN-6305-2] PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6305-2
February 27, 2024
php7.0, php7.2, php7.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-6305-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain XML files.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2023-3823)
It was discovered that PHP incorrectly handled certain PHAR files.
An attacker could possibly use this issue to cause a crash,
expose sensitive information or execute arbitrary code.
(CVE-2023-3824)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libapache2-mod-php7.4 7.4.3-4ubuntu2.20
php7.4 7.4.3-4ubuntu2.20
php7.4-cgi 7.4.3-4ubuntu2.20
php7.4-cli 7.4.3-4ubuntu2.20
php7.4-fpm 7.4.3-4ubuntu2.20
php7.4-xml 7.4.3-4ubuntu2.20
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6305-2
https://ubuntu.com/security/notices/USN-6305-1
CVE-2023-3823, CVE-2023-3824
Package Information:
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.20
Ubuntu Security Notice USN-6305-2
February 27, 2024
php7.0, php7.2, php7.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-6305-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain XML files.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2023-3823)
It was discovered that PHP incorrectly handled certain PHAR files.
An attacker could possibly use this issue to cause a crash,
expose sensitive information or execute arbitrary code.
(CVE-2023-3824)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libapache2-mod-php7.4 7.4.3-4ubuntu2.20
php7.4 7.4.3-4ubuntu2.20
php7.4-cgi 7.4.3-4ubuntu2.20
php7.4-cli 7.4.3-4ubuntu2.20
php7.4-fpm 7.4.3-4ubuntu2.20
php7.4-xml 7.4.3-4ubuntu2.20
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm2
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm8
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6305-2
https://ubuntu.com/security/notices/USN-6305-1
CVE-2023-3823, CVE-2023-3824
Package Information:
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.20
Monday, February 26, 2024
[USN-6662-1] OpenJDK 21 vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUzgFAwAAAAAACgkQWNrRIKaTkWdR
nRAAg4wfAZNPUGzd+kABf+tUMi5XSflWhBjuZbF7LK/WIcNJlDTqEticaTtJ8jv5RdShK7dia83d
CnlmSK32r3zfctpKOlHBnN5kFq3VhHgO2gciGAgpESLc960M9ophK1MKjI+p9oBXxhdyyeBNvaDU
tuUVurbsBGOaJSf1O4yXn7MEl/PAhgdUYppgkpobgjceaj8PLnzWanV4SwjxMIvkmRcuyc//lSGL
6w3yFMMv0AtFcD4b91vgWE72OdkueKzLLxqB03dW4tPgmE+cXj8dBAnx3tyfoI7+CvKLkQufJ/VN
cl90wOf59w3CDIqrIlsa4PvrPtuISDiUQYGimTr31qkFE7vZyWZPAxFS8XQsaV2Doi7jpvCI3Pii
mSYMnOTmng4bMYawLyQoeAeipsMSJO21RvzSBYAhrDeMkLbY6budfx57Z3aUEDFX2MReUUqm5B7A
Sf52nrzw8LDkYWtngdzki9GafjGm5c7H+2uVGDYhYrdo4wazmYjvIzlVeblwuhICHrVGEitmHf/E
dQgJ9oha3szU70ZpFqBg4na9ooxKQufwYvbtGPSaRgG4c298PggN7Plt4KrfVlN1aqpXVPGMi+8/
PW6wNBJsi0EsXD+5SlHmWEGJKN6HQZZFwguPEcntfmIFbEf3eWm2n8GF8J3X06uAHxXYb8u8oSPp
Y8w=
=nk08
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6662-1
February 27, 2024
openjdk-21 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenJDK 21.
Software Description:
- openjdk-21: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 21 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 21 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 21 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
It was discovered that OpenJDK 21 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 21 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-21-jdk 21.0.2+13-1~23.10.1
openjdk-21-jdk-headless 21.0.2+13-1~23.10.1
openjdk-21-jre 21.0.2+13-1~23.10.1
openjdk-21-jre-headless 21.0.2+13-1~23.10.1
openjdk-21-jre-zero 21.0.2+13-1~23.10.1
Ubuntu 22.04 LTS:
openjdk-21-jdk 21.0.2+13-1~22.04.1
openjdk-21-jdk-headless 21.0.2+13-1~22.04.1
openjdk-21-jre 21.0.2+13-1~22.04.1
openjdk-21-jre-headless 21.0.2+13-1~22.04.1
openjdk-21-jre-zero 21.0.2+13-1~22.04.1
Ubuntu 20.04 LTS:
openjdk-21-jdk 21.0.2+13-1~20.04.1
openjdk-21-jdk-headless 21.0.2+13-1~20.04.1
openjdk-21-jre 21.0.2+13-1~20.04.1
openjdk-21-jre-headless 21.0.2+13-1~20.04.1
openjdk-21-jre-zero 21.0.2+13-1~20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6662-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945,
CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~20.04.1
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUzgFAwAAAAAACgkQWNrRIKaTkWdR
nRAAg4wfAZNPUGzd+kABf+tUMi5XSflWhBjuZbF7LK/WIcNJlDTqEticaTtJ8jv5RdShK7dia83d
CnlmSK32r3zfctpKOlHBnN5kFq3VhHgO2gciGAgpESLc960M9ophK1MKjI+p9oBXxhdyyeBNvaDU
tuUVurbsBGOaJSf1O4yXn7MEl/PAhgdUYppgkpobgjceaj8PLnzWanV4SwjxMIvkmRcuyc//lSGL
6w3yFMMv0AtFcD4b91vgWE72OdkueKzLLxqB03dW4tPgmE+cXj8dBAnx3tyfoI7+CvKLkQufJ/VN
cl90wOf59w3CDIqrIlsa4PvrPtuISDiUQYGimTr31qkFE7vZyWZPAxFS8XQsaV2Doi7jpvCI3Pii
mSYMnOTmng4bMYawLyQoeAeipsMSJO21RvzSBYAhrDeMkLbY6budfx57Z3aUEDFX2MReUUqm5B7A
Sf52nrzw8LDkYWtngdzki9GafjGm5c7H+2uVGDYhYrdo4wazmYjvIzlVeblwuhICHrVGEitmHf/E
dQgJ9oha3szU70ZpFqBg4na9ooxKQufwYvbtGPSaRgG4c298PggN7Plt4KrfVlN1aqpXVPGMi+8/
PW6wNBJsi0EsXD+5SlHmWEGJKN6HQZZFwguPEcntfmIFbEf3eWm2n8GF8J3X06uAHxXYb8u8oSPp
Y8w=
=nk08
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6662-1
February 27, 2024
openjdk-21 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenJDK 21.
Software Description:
- openjdk-21: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 21 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 21 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 21 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
It was discovered that OpenJDK 21 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 21 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-21-jdk 21.0.2+13-1~23.10.1
openjdk-21-jdk-headless 21.0.2+13-1~23.10.1
openjdk-21-jre 21.0.2+13-1~23.10.1
openjdk-21-jre-headless 21.0.2+13-1~23.10.1
openjdk-21-jre-zero 21.0.2+13-1~23.10.1
Ubuntu 22.04 LTS:
openjdk-21-jdk 21.0.2+13-1~22.04.1
openjdk-21-jdk-headless 21.0.2+13-1~22.04.1
openjdk-21-jre 21.0.2+13-1~22.04.1
openjdk-21-jre-headless 21.0.2+13-1~22.04.1
openjdk-21-jre-zero 21.0.2+13-1~22.04.1
Ubuntu 20.04 LTS:
openjdk-21-jdk 21.0.2+13-1~20.04.1
openjdk-21-jdk-headless 21.0.2+13-1~20.04.1
openjdk-21-jre 21.0.2+13-1~20.04.1
openjdk-21-jre-headless 21.0.2+13-1~20.04.1
openjdk-21-jre-zero 21.0.2+13-1~20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6662-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945,
CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.2+13-1~20.04.1
[USN-6661-1] OpenJDK 17 vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUvYFAwAAAAAACgkQWNrRIKaTkWeI
Ng//bFV85JssXtt4XsCRXEv/JzwqMTy5GqMwIBEEVGSUILVE0Y6S+r7lf/z9dSeoAgtKEyXx/yqq
vRNWfGnBZvN0tfud7B9y/hn4fBHTMWdy8XAWXzRhOo3NjAfqHmlL+U9yREw27Wd+9FyKAs5Dp/rE
2Mqp9YY0vXWt6ykPbjlkwmQLYAu7X0pMzB34qab+MgbZJcVKrrMRnYuzkxBwYQQlat9NWQkD5oQJ
e6+SF5PbfwqoGcfeJwZes/kONvFMGKD9ueKHkR7oP8ezmvJ2rMJhtKT5EDJNdns9KvSyEDDIgtiZ
bnhEJjcbGTw1GzG53o/I/AVPNuSbF2EfTo+OdLAsduGirra7glLg77d/Z8ZbJetvaDp4C89SzHO/
eS9l1YKCHEAzycWeh98bnpMgBy3uXDrwiQT2eh0L+IFs8JI9Ibj2zGNqdBm8+jQL4nb414Nvm4Z1
7VOEGPrTEoNTVGBNQj6kqqOJWKlWzd+WNrJvqab16nqKa1hn+wHwqC1e25r+GlTLwcaGX+ctDBzk
9sz+F16at+mJd/KEz4JgZMAOBkq/TagdK96WtNAYlPl1ldiSijYQMZRfs467X2oSdvuMMJJtztrl
YL40k1mTG3JmFILe/MRT424Mfk2Cb3SM+66So5phZdrvTEka/C069s78yUMfw/T//0+JXQirVTNA
XLI=
=ZEzw
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6661-1
February 27, 2024
openjdk-17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in OpenJDK 17.
Software Description:
- openjdk-17: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 17 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 17 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 17 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
Yakov Shafranovich discovered that OpenJDK 17 incorrectly handled ZIP
archives that have file and directory entries with the same name. An
attacker could possibly use this issue to bypass Java sandbox
restrictions. (CVE-2024-20932)
It was discovered that OpenJDK 17 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 17 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-17-jdk 17.0.10+7-1~23.10.1
openjdk-17-jdk-headless 17.0.10+7-1~23.10.1
openjdk-17-jre 17.0.10+7-1~23.10.1
openjdk-17-jre-headless 17.0.10+7-1~23.10.1
openjdk-17-jre-zero 17.0.10+7-1~23.10.1
Ubuntu 22.04 LTS:
openjdk-17-jdk 17.0.10+7-1~22.04.1
openjdk-17-jdk-headless 17.0.10+7-1~22.04.1
openjdk-17-jre 17.0.10+7-1~22.04.1
openjdk-17-jre-headless 17.0.10+7-1~22.04.1
openjdk-17-jre-zero 17.0.10+7-1~22.04.1
Ubuntu 20.04 LTS:
openjdk-17-jdk 17.0.10+7-1~20.04.1
openjdk-17-jdk-headless 17.0.10+7-1~20.04.1
openjdk-17-jre 17.0.10+7-1~20.04.1
openjdk-17-jre-headless 17.0.10+7-1~20.04.1
openjdk-17-jre-zero 17.0.10+7-1~20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
openjdk-17-jdk 17.0.10+7-1~18.04.1
openjdk-17-jdk-headless 17.0.10+7-1~18.04.1
openjdk-17-jre 17.0.10+7-1~18.04.1
openjdk-17-jre-headless 17.0.10+7-1~18.04.1
openjdk-17-jre-zero 17.0.10+7-1~18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6661-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20932,
CVE-2024-20945, CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~20.04.1
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUvYFAwAAAAAACgkQWNrRIKaTkWeI
Ng//bFV85JssXtt4XsCRXEv/JzwqMTy5GqMwIBEEVGSUILVE0Y6S+r7lf/z9dSeoAgtKEyXx/yqq
vRNWfGnBZvN0tfud7B9y/hn4fBHTMWdy8XAWXzRhOo3NjAfqHmlL+U9yREw27Wd+9FyKAs5Dp/rE
2Mqp9YY0vXWt6ykPbjlkwmQLYAu7X0pMzB34qab+MgbZJcVKrrMRnYuzkxBwYQQlat9NWQkD5oQJ
e6+SF5PbfwqoGcfeJwZes/kONvFMGKD9ueKHkR7oP8ezmvJ2rMJhtKT5EDJNdns9KvSyEDDIgtiZ
bnhEJjcbGTw1GzG53o/I/AVPNuSbF2EfTo+OdLAsduGirra7glLg77d/Z8ZbJetvaDp4C89SzHO/
eS9l1YKCHEAzycWeh98bnpMgBy3uXDrwiQT2eh0L+IFs8JI9Ibj2zGNqdBm8+jQL4nb414Nvm4Z1
7VOEGPrTEoNTVGBNQj6kqqOJWKlWzd+WNrJvqab16nqKa1hn+wHwqC1e25r+GlTLwcaGX+ctDBzk
9sz+F16at+mJd/KEz4JgZMAOBkq/TagdK96WtNAYlPl1ldiSijYQMZRfs467X2oSdvuMMJJtztrl
YL40k1mTG3JmFILe/MRT424Mfk2Cb3SM+66So5phZdrvTEka/C069s78yUMfw/T//0+JXQirVTNA
XLI=
=ZEzw
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6661-1
February 27, 2024
openjdk-17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in OpenJDK 17.
Software Description:
- openjdk-17: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 17 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 17 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 17 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
Yakov Shafranovich discovered that OpenJDK 17 incorrectly handled ZIP
archives that have file and directory entries with the same name. An
attacker could possibly use this issue to bypass Java sandbox
restrictions. (CVE-2024-20932)
It was discovered that OpenJDK 17 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 17 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-17-jdk 17.0.10+7-1~23.10.1
openjdk-17-jdk-headless 17.0.10+7-1~23.10.1
openjdk-17-jre 17.0.10+7-1~23.10.1
openjdk-17-jre-headless 17.0.10+7-1~23.10.1
openjdk-17-jre-zero 17.0.10+7-1~23.10.1
Ubuntu 22.04 LTS:
openjdk-17-jdk 17.0.10+7-1~22.04.1
openjdk-17-jdk-headless 17.0.10+7-1~22.04.1
openjdk-17-jre 17.0.10+7-1~22.04.1
openjdk-17-jre-headless 17.0.10+7-1~22.04.1
openjdk-17-jre-zero 17.0.10+7-1~22.04.1
Ubuntu 20.04 LTS:
openjdk-17-jdk 17.0.10+7-1~20.04.1
openjdk-17-jdk-headless 17.0.10+7-1~20.04.1
openjdk-17-jre 17.0.10+7-1~20.04.1
openjdk-17-jre-headless 17.0.10+7-1~20.04.1
openjdk-17-jre-zero 17.0.10+7-1~20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
openjdk-17-jdk 17.0.10+7-1~18.04.1
openjdk-17-jdk-headless 17.0.10+7-1~18.04.1
openjdk-17-jre 17.0.10+7-1~18.04.1
openjdk-17-jre-headless 17.0.10+7-1~18.04.1
openjdk-17-jre-zero 17.0.10+7-1~18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6661-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20932,
CVE-2024-20945, CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.10+7-1~20.04.1
[USN-6660-1] OpenJDK 11 vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUqcFAwAAAAAACgkQWNrRIKaTkWeO
kBAAlw9hhJPdH9vIdzRo/V056Ykdg9pCx/wQTMflWP56Z1r6GyNfhdEsQJmtAWH/PaeB/6g8HLI/
AoRNXtrVAfg1oNBXbGNLJ1y4LGafq/Jg3KYYep88Qu/XFlfr4BlUAFTC2yxSU2KL7YPKVk0Bmv7x
vc4+fosqzDmAJLu483B3W3N3sj9h/Tx4e9xsEnnq3j3FLRAZwjA3sSg99b0pgR2tC+aA9A6y4ASd
HZMKd8G59IStepBrtoB2Zgn9WIm/FsEsSwZuEXm01yjpQwzmA3MjmCL7IGYkP8p98efnQnt6aZx0
mU5/hPjtebAOe9HPkGCcl13RWryuDxtdZyjr0mpvQDlC1KI50BrGNkZwludJq1cWNUwKNcOyyN3F
hy8vfLhpjhZaDU2u+89pYmWH9uDkJMwWwW+ekqhUnwR58KqIEp7D4Ul/j9W9zohGkSWnIh+MSqAf
XaI+xJ/RQIlCDF3ZeH/GhVQEF73cUiFXA4K8oirt6nTTVBljW6zjgnEVnOrEfThGidUZ1jz+fgdq
bM0S3XXBEWc3kPmDMV/UsfBYS9Vb+l39OEdv9FHp/iuwsycoBe0gDZ+0GZcrH8ba/wXq2YOvD4lg
4LD4150p7mrRCN37SdrF9vH2HwlfXGbA2ELgh4TqrN4Zs/qqfoxz8NDICfvaFXO37nsU9BBFqnvL
Er0=
=YVVY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6660-1
February 27, 2024
openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in OpenJDK 11.
Software Description:
- openjdk-lts: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 11 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 11 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 11 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
Valentin Eudeline discovered that OpenJDK 11 incorrectly handled certain
options in the Nashorn JavaScript subcomponent. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2024-20926)
It was discovered that OpenJDK 11 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 11 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-11-jdk 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~23.10.1
Ubuntu 22.04 LTS:
openjdk-11-jdk 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~22.04.1
Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
openjdk-11-jdk 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6660-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926,
CVE-2024-20945, CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~20.04.1
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmXdUqcFAwAAAAAACgkQWNrRIKaTkWeO
kBAAlw9hhJPdH9vIdzRo/V056Ykdg9pCx/wQTMflWP56Z1r6GyNfhdEsQJmtAWH/PaeB/6g8HLI/
AoRNXtrVAfg1oNBXbGNLJ1y4LGafq/Jg3KYYep88Qu/XFlfr4BlUAFTC2yxSU2KL7YPKVk0Bmv7x
vc4+fosqzDmAJLu483B3W3N3sj9h/Tx4e9xsEnnq3j3FLRAZwjA3sSg99b0pgR2tC+aA9A6y4ASd
HZMKd8G59IStepBrtoB2Zgn9WIm/FsEsSwZuEXm01yjpQwzmA3MjmCL7IGYkP8p98efnQnt6aZx0
mU5/hPjtebAOe9HPkGCcl13RWryuDxtdZyjr0mpvQDlC1KI50BrGNkZwludJq1cWNUwKNcOyyN3F
hy8vfLhpjhZaDU2u+89pYmWH9uDkJMwWwW+ekqhUnwR58KqIEp7D4Ul/j9W9zohGkSWnIh+MSqAf
XaI+xJ/RQIlCDF3ZeH/GhVQEF73cUiFXA4K8oirt6nTTVBljW6zjgnEVnOrEfThGidUZ1jz+fgdq
bM0S3XXBEWc3kPmDMV/UsfBYS9Vb+l39OEdv9FHp/iuwsycoBe0gDZ+0GZcrH8ba/wXq2YOvD4lg
4LD4150p7mrRCN37SdrF9vH2HwlfXGbA2ELgh4TqrN4Zs/qqfoxz8NDICfvaFXO37nsU9BBFqnvL
Er0=
=YVVY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6660-1
February 27, 2024
openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in OpenJDK 11.
Software Description:
- openjdk-lts: Open Source Java implementation
Details:
Yi Yang discovered that the Hotspot component of OpenJDK 11 incorrectly
handled array accesses in the C1 compiler. An attacker could possibly
use this issue to cause a denial of service, execute arbitrary code or
bypass Java sandbox restrictions. (CVE-2024-20918)
It was discovered that the Hotspot component of OpenJDK 11 did not
properly verify bytecode in certain situations. An attacker could
possibly use this issue to bypass Java sandbox restrictions.
(CVE-2024-20919)
It was discovered that the Hotspot component of OpenJDK 11 had an
optimization flaw when generating range check loop predicates. An attacker
could possibly use this issue to cause a denial of service, execute
arbitrary code or bypass Java sandbox restrictions. (CVE-2024-20921)
Valentin Eudeline discovered that OpenJDK 11 incorrectly handled certain
options in the Nashorn JavaScript subcomponent. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2024-20926)
It was discovered that OpenJDK 11 could produce debug logs that contained
private keys used for digital signatures. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2024-20945)
Hubert Kario discovered that the TLS implementation in OpenJDK 11 had a
timing side-channel and incorrectly handled RSA padding. A remote attacker
could possibly use this issue to recover sensitive information.
(CVE-2024-20952)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-11-jdk 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~23.10.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~23.10.1
Ubuntu 22.04 LTS:
openjdk-11-jdk 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~22.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~22.04.1
Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~20.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
openjdk-11-jdk 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jdk-headless 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre-headless 11.0.22+7-0ubuntu2~18.04.1
openjdk-11-jre-zero 11.0.22+7-0ubuntu2~18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6660-1
CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926,
CVE-2024-20945, CVE-2024-20952
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~23.10.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.22+7-0ubuntu2~20.04.1
[USN-6659-1] libde265 vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmXc+JcFAwAAAAAACgkQCAvK1QvD6SDY
mRAAqGkzJWTInYZwK03J2H+VEw4iOiXgnJKt+8lqhcGoGMZqtbhiiiFme3IBjbtxOxaBzIc743l6
QNoxNRBP7DjMDyuo0Yw9GAiW+srUrY40SFRAeTi5gkE3FwMYRgmCkHEYMAm+GN+APRN9W/al8e5u
o3sRX16BnRh4e/jUfouaC5i7jD7TNpFwcmJ368kCbB57u3PqJZx9gCb6v4FEl8AxSRd8dtCoIXht
JSlvKsQNqVy9HTDiyCUsioYo4siFmd9OMh2JrP15UArD3vBhCGNI+FpKNFeGzP7Hx8VTi9KkjVJZ
e9on25/auzIjQrAz3dp4k9eXausDSrpLVfBjupSRaVeYRHprsY/GibCNExDTKIcu5xACpWi1aY54
78rtWWQoeSsVIWh76x1WdeucokaMBr/wCqNOgNl8BG1YQp0+O53OvzybZhbwei3Q3woIsfd1Dx7C
GCcSu3mzZThfMZe6G7MYPZvWo0/uJjf4qzf4c8FWgSBPo3i2uRPKrL1JAULryRWm3Pz812ChdiAE
V7xMSeLckX9510F0CMHv45p6SxQbYyHEd1V3OmE8uUH10AvR2lFJH1kOroys6MUajIHilTPsy433
9aHSNoA5Kzns3l66uidyUz06IFD3rF/wZYa07NYkdhRCjjPiPoMLM8z3gGduA5j0xXa4v4V/NThQ
PPE=
=I4SF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6659-1
February 26, 2024
libde265 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in libde265.
Software Description:
- libde265: Open H.265 video codec implementation
Details:
It was discovered that libde265 could be made to write out of bounds. If a
user or automated system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2022-43244, CVE-2022-43249,
CVE-2022-43250, CVE-2022-47665, CVE-2023-25221)
It was discovered that libde265 could be made to read out of bounds. If a
user or automated system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service. (CVE-2022-43245)
It was discovered that libde265 could be made to dereference invalid
memory. If a user or automated system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to cause a denial
of service. (CVE-2023-24751, CVE-2023-24752, CVE-2023-24754,
CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libde265-0 1.0.8-1ubuntu0.2
Ubuntu 20.04 LTS:
libde265-0 1.0.4-1ubuntu0.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libde265-0 1.0.2-2ubuntu0.18.04.1~esm3
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libde265-0 1.0.2-2ubuntu0.16.04.1~esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6659-1
CVE-2022-43244, CVE-2022-43245, CVE-2022-43249, CVE-2022-43250,
CVE-2022-47665, CVE-2023-24751, CVE-2023-24752, CVE-2023-24754,
CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758,
CVE-2023-25221
Package Information:
https://launchpad.net/ubuntu/+source/libde265/1.0.8-1ubuntu0.2
https://launchpad.net/ubuntu/+source/libde265/1.0.4-1ubuntu0.3
wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmXc+JcFAwAAAAAACgkQCAvK1QvD6SDY
mRAAqGkzJWTInYZwK03J2H+VEw4iOiXgnJKt+8lqhcGoGMZqtbhiiiFme3IBjbtxOxaBzIc743l6
QNoxNRBP7DjMDyuo0Yw9GAiW+srUrY40SFRAeTi5gkE3FwMYRgmCkHEYMAm+GN+APRN9W/al8e5u
o3sRX16BnRh4e/jUfouaC5i7jD7TNpFwcmJ368kCbB57u3PqJZx9gCb6v4FEl8AxSRd8dtCoIXht
JSlvKsQNqVy9HTDiyCUsioYo4siFmd9OMh2JrP15UArD3vBhCGNI+FpKNFeGzP7Hx8VTi9KkjVJZ
e9on25/auzIjQrAz3dp4k9eXausDSrpLVfBjupSRaVeYRHprsY/GibCNExDTKIcu5xACpWi1aY54
78rtWWQoeSsVIWh76x1WdeucokaMBr/wCqNOgNl8BG1YQp0+O53OvzybZhbwei3Q3woIsfd1Dx7C
GCcSu3mzZThfMZe6G7MYPZvWo0/uJjf4qzf4c8FWgSBPo3i2uRPKrL1JAULryRWm3Pz812ChdiAE
V7xMSeLckX9510F0CMHv45p6SxQbYyHEd1V3OmE8uUH10AvR2lFJH1kOroys6MUajIHilTPsy433
9aHSNoA5Kzns3l66uidyUz06IFD3rF/wZYa07NYkdhRCjjPiPoMLM8z3gGduA5j0xXa4v4V/NThQ
PPE=
=I4SF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6659-1
February 26, 2024
libde265 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in libde265.
Software Description:
- libde265: Open H.265 video codec implementation
Details:
It was discovered that libde265 could be made to write out of bounds. If a
user or automated system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2022-43244, CVE-2022-43249,
CVE-2022-43250, CVE-2022-47665, CVE-2023-25221)
It was discovered that libde265 could be made to read out of bounds. If a
user or automated system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to cause a denial of
service. (CVE-2022-43245)
It was discovered that libde265 could be made to dereference invalid
memory. If a user or automated system were tricked into opening a specially
crafted file, an attacker could possibly use this issue to cause a denial
of service. (CVE-2023-24751, CVE-2023-24752, CVE-2023-24754,
CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libde265-0 1.0.8-1ubuntu0.2
Ubuntu 20.04 LTS:
libde265-0 1.0.4-1ubuntu0.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libde265-0 1.0.2-2ubuntu0.18.04.1~esm3
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libde265-0 1.0.2-2ubuntu0.16.04.1~esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6659-1
CVE-2022-43244, CVE-2022-43245, CVE-2022-43249, CVE-2022-43250,
CVE-2022-47665, CVE-2023-24751, CVE-2023-24752, CVE-2023-24754,
CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758,
CVE-2023-25221
Package Information:
https://launchpad.net/ubuntu/+source/libde265/1.0.8-1ubuntu0.2
https://launchpad.net/ubuntu/+source/libde265/1.0.4-1ubuntu0.3
[USN-6658-1] libxml2 vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXcuoQACgkQZWnYVadE
vpNqlxAAjKrFQlaV5YvK7OOV5VjfzTyvPBhL+RBb8P6G4ZBv1s25IuTAMXar50mM
XwU5wdct4KSg5JMoFDclEjQFlAAoHf40oKERIbR7MwshXGsjJx8yej3K/Z56WO5f
nPfD/AIdewZNRxniyrY7L/RZlPRfpZtQ5q/CpLgS8W09NSziY92nnSdBzqg+haUi
CInSErX+YReSZRGzXzhk5bg92qDXY1q7SiqvgDple4UHhyrFFVo89pXPmZzQrK92
ROBS89DMPSFCUeCVlIJczvwlCR132ZMjuc8vEk86lkDs+4aEYAvSlYIXfHuIn6vg
jYrEwSbVT+oju2Ry4uKGViou5O4/lxAknDfrcOqorcyjcibgLewUT+DvQaPI0zt1
G/Xnwj/IpN2oxGWaBzbzTUeTOKsT5GpnYLTrYngu8YT+1nKz3SkQa2R6YdKvkBhG
8kct7QlcrwrXu7qr3Y52ezy0H0rYdTWj8FHUoJgJeEY74oqGqZS92RtZ8lL2L95N
h32zZfdpmLmjk0LeOw3zlN6QVt4YIQJ0KnIPQsUTBB0WN7tZMJDzzxShBz5mzDd0
Z8rUdHIP8uY3BMeZfKivoN2Lh6BFNgglxcX3eCy4mdPzLxO1X6Mv64ICFY9LQEDt
THq2LNFzG1qqMIBlG5beowe400/TqyBUXG7VScnkQirThrjyvmc=
=TRBy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6658-1
February 26, 2024
libxml2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libxml2 could be made to crash or run programs if it opened a specially
crafted file.
Software Description:
- libxml2: GNOME XML library
Details:
It was discovered that libxml2 incorrectly handled certain XML documents. A
remote attacker could possibly use this issue to cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libxml2 2.9.14+dfsg-1.3ubuntu0.1
Ubuntu 22.04 LTS:
libxml2 2.9.13+dfsg-1ubuntu0.4
Ubuntu 20.04 LTS:
libxml2 2.9.10+dfsg-5ubuntu0.20.04.7
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6658-1
CVE-2024-25062
Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu0.1
https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.4
https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.7
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXcuoQACgkQZWnYVadE
vpNqlxAAjKrFQlaV5YvK7OOV5VjfzTyvPBhL+RBb8P6G4ZBv1s25IuTAMXar50mM
XwU5wdct4KSg5JMoFDclEjQFlAAoHf40oKERIbR7MwshXGsjJx8yej3K/Z56WO5f
nPfD/AIdewZNRxniyrY7L/RZlPRfpZtQ5q/CpLgS8W09NSziY92nnSdBzqg+haUi
CInSErX+YReSZRGzXzhk5bg92qDXY1q7SiqvgDple4UHhyrFFVo89pXPmZzQrK92
ROBS89DMPSFCUeCVlIJczvwlCR132ZMjuc8vEk86lkDs+4aEYAvSlYIXfHuIn6vg
jYrEwSbVT+oju2Ry4uKGViou5O4/lxAknDfrcOqorcyjcibgLewUT+DvQaPI0zt1
G/Xnwj/IpN2oxGWaBzbzTUeTOKsT5GpnYLTrYngu8YT+1nKz3SkQa2R6YdKvkBhG
8kct7QlcrwrXu7qr3Y52ezy0H0rYdTWj8FHUoJgJeEY74oqGqZS92RtZ8lL2L95N
h32zZfdpmLmjk0LeOw3zlN6QVt4YIQJ0KnIPQsUTBB0WN7tZMJDzzxShBz5mzDd0
Z8rUdHIP8uY3BMeZfKivoN2Lh6BFNgglxcX3eCy4mdPzLxO1X6Mv64ICFY9LQEDt
THq2LNFzG1qqMIBlG5beowe400/TqyBUXG7VScnkQirThrjyvmc=
=TRBy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6658-1
February 26, 2024
libxml2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libxml2 could be made to crash or run programs if it opened a specially
crafted file.
Software Description:
- libxml2: GNOME XML library
Details:
It was discovered that libxml2 incorrectly handled certain XML documents. A
remote attacker could possibly use this issue to cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libxml2 2.9.14+dfsg-1.3ubuntu0.1
Ubuntu 22.04 LTS:
libxml2 2.9.13+dfsg-1ubuntu0.4
Ubuntu 20.04 LTS:
libxml2 2.9.10+dfsg-5ubuntu0.20.04.7
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6658-1
CVE-2024-25062
Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu0.1
https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.4
https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.7
[USN-6657-1] Dnsmasq vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXcum8ACgkQZWnYVadE
vpMjSRAAuL0CXsU3i+Bw7kUS06As55XswZQ2Jb7IeppIrYQY8oHQWSy7xW0k9wsd
VoxXH7Sn/ifCQGgsEqcRUiU2aj/Gh0bLCg8Gn9qztyqq2VIUPL7Cgec75/Ptu9Iu
eUgUPKBwkn1Np9g6o8ocB5t0PtA4ArXJY4sx7AhCR7iLya+0D5k22/0W47SqtbCk
GEqrp0J+/Y6hrhoEY4F/WR81CI50anvYo1yBLP8oQpmTucEDYgHbT4QO6dgb8sLw
WFWlFCleTg4JJGBJvhsVp/cg853GLeHQ7EQdhnrb+EpyGpwK0FsH6sYWifOdCNxC
4wXDs+V3Yfn/Mi1HrS3OIsTlKjIXFLnBRZaII1YGpAjztm8Kn7Byl+DJYEH9ExNJ
Pjsv9dyLorxFYmpfW0zj44w2e204PSmWOpZ2DCEKckYKyIM0fw+626Js9bxfRdDQ
aOHkb6PcJ3LhHCVN9vFrV2OiF7J+Hn18qrNuAwN0VPdag9QGhtJtvS6s4VU095Yw
Ezr8xa2Kg2PirE1jhIkLeipZJDA6yHW/UTmmxfvcSmt1DUNGHzLXDfs/wY5fJsaz
wa2JgehCeNKjEY/xPKkDmdCAXdWnd2jDYcpQOmNJoaJ2oURrKFy5BnH+lNIbriqX
AyGQRuCNu1KV9FRIZzUbdqNPLYqrwABiw/Vopzy/o2iHJLhGCI4=
=UMSR
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6657-1
February 26, 2024
dnsmasq vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Dnsmasq.
Software Description:
- dnsmasq: Small caching DNS proxy and DHCP/TFTP server
Details:
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Dnsmasq icorrectly handled validating DNSSEC messages. A remote
attacker could possibly use this issue to cause Dnsmasq to consume
resources, leading to a denial of service. (CVE-2023-50387)
It was discovered that Dnsmasq incorrectly handled preparing an NSEC3
closest encloser proof. A remote attacker could possibly use this issue to
cause Dnsmasq to consume resources, leading to a denial of service.
(CVE-2023-50868)
It was discovered that Dnsmasq incorrectly set the maximum EDNS.0 UDP
packet size as required by DNS Flag Day 2020. This issue only affected
Ubuntu 23.10. (CVE-2023-28450)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
dnsmasq-base 2.90-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
dnsmasq-base 2.90-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
dnsmasq-base 2.90-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to reboot your computer to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6657-1
CVE-2023-28450, CVE-2023-50387, CVE-2023-50868
Package Information:
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.20.04.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXcum8ACgkQZWnYVadE
vpMjSRAAuL0CXsU3i+Bw7kUS06As55XswZQ2Jb7IeppIrYQY8oHQWSy7xW0k9wsd
VoxXH7Sn/ifCQGgsEqcRUiU2aj/Gh0bLCg8Gn9qztyqq2VIUPL7Cgec75/Ptu9Iu
eUgUPKBwkn1Np9g6o8ocB5t0PtA4ArXJY4sx7AhCR7iLya+0D5k22/0W47SqtbCk
GEqrp0J+/Y6hrhoEY4F/WR81CI50anvYo1yBLP8oQpmTucEDYgHbT4QO6dgb8sLw
WFWlFCleTg4JJGBJvhsVp/cg853GLeHQ7EQdhnrb+EpyGpwK0FsH6sYWifOdCNxC
4wXDs+V3Yfn/Mi1HrS3OIsTlKjIXFLnBRZaII1YGpAjztm8Kn7Byl+DJYEH9ExNJ
Pjsv9dyLorxFYmpfW0zj44w2e204PSmWOpZ2DCEKckYKyIM0fw+626Js9bxfRdDQ
aOHkb6PcJ3LhHCVN9vFrV2OiF7J+Hn18qrNuAwN0VPdag9QGhtJtvS6s4VU095Yw
Ezr8xa2Kg2PirE1jhIkLeipZJDA6yHW/UTmmxfvcSmt1DUNGHzLXDfs/wY5fJsaz
wa2JgehCeNKjEY/xPKkDmdCAXdWnd2jDYcpQOmNJoaJ2oURrKFy5BnH+lNIbriqX
AyGQRuCNu1KV9FRIZzUbdqNPLYqrwABiw/Vopzy/o2iHJLhGCI4=
=UMSR
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6657-1
February 26, 2024
dnsmasq vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Dnsmasq.
Software Description:
- dnsmasq: Small caching DNS proxy and DHCP/TFTP server
Details:
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Dnsmasq icorrectly handled validating DNSSEC messages. A remote
attacker could possibly use this issue to cause Dnsmasq to consume
resources, leading to a denial of service. (CVE-2023-50387)
It was discovered that Dnsmasq incorrectly handled preparing an NSEC3
closest encloser proof. A remote attacker could possibly use this issue to
cause Dnsmasq to consume resources, leading to a denial of service.
(CVE-2023-50868)
It was discovered that Dnsmasq incorrectly set the maximum EDNS.0 UDP
packet size as required by DNS Flag Day 2020. This issue only affected
Ubuntu 23.10. (CVE-2023-28450)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
dnsmasq-base 2.90-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
dnsmasq-base 2.90-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
dnsmasq-base 2.90-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to reboot your computer to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6657-1
CVE-2023-28450, CVE-2023-50387, CVE-2023-50868
Package Information:
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.90-0ubuntu0.20.04.1
[USN-6656-1] PostgreSQL vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXculAACgkQZWnYVadE
vpOc0g//Z7Y2kGNIUBQBoBikQo8JMvPAczbCyWSf0mtDp/MYw4FHLpL/mIz+wVYr
TiT0ubJqPGYasbAC6vlF7xOInBwyiFF0ZUqWEHibnAwfA/4kLoIfDgfqV7UhrOFI
Twiof5IX5AxeEP+9SLBFtxCROKkYSv8dUzZLUf/DjrZQreqvgoi/+J8Hfz1mLtZ0
vCuSLZe0qRO3T+rzF4uaOEqVIfZSOmaHjTqacvIvBTsEM1RZhP4UVfnXWScIaJsa
jKG0GTNFw0Xh9mD4jz1ZV3xOhXFjgTZ1rWEjeYOTaKmIawNJ0OvPcRo+Yn9dcQ7k
wMtxiZOFv0j+n+HMGxZVqkFFM4w81lpMo1L4gPVNbft2wx4nAr/V35LhusD11EZa
xUpHMJpKDWnuPeyxKYg/tbDeoOVc7vEQNjlmxHgip/BPU3Tm7B5HMGyyfMHmSiz8
wwIE+mKR9jQ2pceR9kErmcFKrslBf+y2FsafPaQlkPcMbZUDrQ9TmtU+z9VQPTDd
aQ4c2RSTnDHBlcubZxh6c/YAZKsBGPuRCPXPppdqhDG3iuRqywz7pNc40oFdfuRK
TiQeSwRiXI4sgDVWDimjlHG88xMF1j3v2bq6gzQd7SU51+Y0P93SUxOZ/hJsjqOR
SJ49TsCXUkGu/DdV7ucdgAQ7YouCtLewY4mPpo2sq/hNpehSdU0=
=sXT4
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6656-1
February 26, 2024
postgresql-12, postgresql-14, postgresql-15 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
Details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
postgresql-15 15.6-0ubuntu0.23.10.1
postgresql-client-15 15.6-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
postgresql-14 14.11-0ubuntu0.22.04.1
postgresql-client-14 14.11-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
postgresql-12 12.18-0ubuntu0.20.04.1
postgresql-client-12 12.18-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-15/15.6-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.11-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.18-0ubuntu0.20.04.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmXculAACgkQZWnYVadE
vpOc0g//Z7Y2kGNIUBQBoBikQo8JMvPAczbCyWSf0mtDp/MYw4FHLpL/mIz+wVYr
TiT0ubJqPGYasbAC6vlF7xOInBwyiFF0ZUqWEHibnAwfA/4kLoIfDgfqV7UhrOFI
Twiof5IX5AxeEP+9SLBFtxCROKkYSv8dUzZLUf/DjrZQreqvgoi/+J8Hfz1mLtZ0
vCuSLZe0qRO3T+rzF4uaOEqVIfZSOmaHjTqacvIvBTsEM1RZhP4UVfnXWScIaJsa
jKG0GTNFw0Xh9mD4jz1ZV3xOhXFjgTZ1rWEjeYOTaKmIawNJ0OvPcRo+Yn9dcQ7k
wMtxiZOFv0j+n+HMGxZVqkFFM4w81lpMo1L4gPVNbft2wx4nAr/V35LhusD11EZa
xUpHMJpKDWnuPeyxKYg/tbDeoOVc7vEQNjlmxHgip/BPU3Tm7B5HMGyyfMHmSiz8
wwIE+mKR9jQ2pceR9kErmcFKrslBf+y2FsafPaQlkPcMbZUDrQ9TmtU+z9VQPTDd
aQ4c2RSTnDHBlcubZxh6c/YAZKsBGPuRCPXPppdqhDG3iuRqywz7pNc40oFdfuRK
TiQeSwRiXI4sgDVWDimjlHG88xMF1j3v2bq6gzQd7SU51+Y0P93SUxOZ/hJsjqOR
SJ49TsCXUkGu/DdV7ucdgAQ7YouCtLewY4mPpo2sq/hNpehSdU0=
=sXT4
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6656-1
February 26, 2024
postgresql-12, postgresql-14, postgresql-15 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database
Details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
postgresql-15 15.6-0ubuntu0.23.10.1
postgresql-client-15 15.6-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
postgresql-14 14.11-0ubuntu0.22.04.1
postgresql-client-14 14.11-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
postgresql-12 12.18-0ubuntu0.20.04.1
postgresql-client-12 12.18-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-15/15.6-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.11-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.18-0ubuntu0.20.04.1
[USN-6651-1] Linux kernel vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXchqAFAwAAAAAACgkQZ0GeRcM5nt30
QAf+PTOgXu4qd/mztMmDjI+T0+8bIMvPhC0dvWnbt1qpfQ1rEpsewpl4Z0HlKaQSxguLfkEUkE0w
1RUz6A0/3TlCgYT2HBTRmQGezDim1zArNIMzaDG34F6mmkMTc/wrUe+nr3XW1UtpPWX7aqJW++VD
UKRYhQpeBIwhZm88wW0DSrDyYbhkjNR+NodUqI/n2c1rK3f1peWJjsPBbKPzbG4fZoWtJMS7HKmS
xgAAvthiMiqRRsAL6B1q1LHXeBhT8h/Vt2IiJAvQwgxuN/qoKVbzlxJaQsCGUy/tMfBfvQ7GuNRD
5NXUy6p50qIymfD2Qfz5r8df3y1gbeOe3vJtAkeVnw==
=veFW
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-1
February 23, 2024
linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle,
linux-raspi, linux-starfive vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-laptop: Linux kernel for Lenovo X13s ARM laptops
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-starfive: Linux kernel for StarFive processors
- linux-hwe-6.5: Linux hardware enablement (HWE) kernel
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
linux-image-6.5.0-1008-starfive 6.5.0-1008.9
linux-image-6.5.0-1010-laptop 6.5.0-1010.13
linux-image-6.5.0-1011-raspi 6.5.0-1011.14
linux-image-6.5.0-1014-aws 6.5.0-1014.14
linux-image-6.5.0-1014-gcp 6.5.0-1014.14
linux-image-6.5.0-1016-oracle 6.5.0-1016.16
linux-image-6.5.0-21-generic 6.5.0-21.21
linux-image-6.5.0-21-generic-64k 6.5.0-21.21
linux-image-aws 6.5.0.1014.14
linux-image-gcp 6.5.0.1014.14
linux-image-generic 6.5.0.21.20
linux-image-generic-64k 6.5.0.21.20
linux-image-generic-lpae 6.5.0.21.20
linux-image-kvm 6.5.0.21.20
linux-image-laptop-23.10 6.5.0.1010.13
linux-image-oracle 6.5.0.1016.16
linux-image-raspi 6.5.0.1011.12
linux-image-raspi-nolpae 6.5.0.1011.12
linux-image-starfive 6.5.0.1008.10
linux-image-virtual 6.5.0.21.20
Ubuntu 22.04 LTS:
linux-image-6.5.0-21-generic 6.5.0-21.21~22.04.1
linux-image-6.5.0-21-generic-64k 6.5.0-21.21~22.04.1
linux-image-generic-64k-hwe-22.04 6.5.0.21.21~22.04.11
linux-image-generic-hwe-22.04 6.5.0.21.21~22.04.11
linux-image-virtual-hwe-22.04 6.5.0.21.21~22.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux/6.5.0-21.21
https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1014.14
https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1014.14
https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1010.13
https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1016.16
https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1011.14
https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1008.9
https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-21.21~22.04.1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmXchqAFAwAAAAAACgkQZ0GeRcM5nt30
QAf+PTOgXu4qd/mztMmDjI+T0+8bIMvPhC0dvWnbt1qpfQ1rEpsewpl4Z0HlKaQSxguLfkEUkE0w
1RUz6A0/3TlCgYT2HBTRmQGezDim1zArNIMzaDG34F6mmkMTc/wrUe+nr3XW1UtpPWX7aqJW++VD
UKRYhQpeBIwhZm88wW0DSrDyYbhkjNR+NodUqI/n2c1rK3f1peWJjsPBbKPzbG4fZoWtJMS7HKmS
xgAAvthiMiqRRsAL6B1q1LHXeBhT8h/Vt2IiJAvQwgxuN/qoKVbzlxJaQsCGUy/tMfBfvQ7GuNRD
5NXUy6p50qIymfD2Qfz5r8df3y1gbeOe3vJtAkeVnw==
=veFW
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6651-1
February 23, 2024
linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle,
linux-raspi, linux-starfive vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-laptop: Linux kernel for Lenovo X13s ARM laptops
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-starfive: Linux kernel for StarFive processors
- linux-hwe-6.5: Linux hardware enablement (HWE) kernel
Details:
It was discovered that a race condition existed in the ATM (Asynchronous
Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51780)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-51781)
Zhenghan Wang discovered that the generic ID allocator implementation in
the Linux kernel did not properly check for null bitmap when releasing IDs.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2023-6915)
Robert Morris discovered that the CIFS network file system implementation
in the Linux kernel did not properly validate certain server commands
fields, leading to an out-of-bounds read vulnerability. An attacker could
use this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2024-0565)
Jann Horn discovered that the io_uring subsystem in the Linux kernel did
not properly handle the release of certain buffer rings. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2024-0582)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2024-0646)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
linux-image-6.5.0-1008-starfive 6.5.0-1008.9
linux-image-6.5.0-1010-laptop 6.5.0-1010.13
linux-image-6.5.0-1011-raspi 6.5.0-1011.14
linux-image-6.5.0-1014-aws 6.5.0-1014.14
linux-image-6.5.0-1014-gcp 6.5.0-1014.14
linux-image-6.5.0-1016-oracle 6.5.0-1016.16
linux-image-6.5.0-21-generic 6.5.0-21.21
linux-image-6.5.0-21-generic-64k 6.5.0-21.21
linux-image-aws 6.5.0.1014.14
linux-image-gcp 6.5.0.1014.14
linux-image-generic 6.5.0.21.20
linux-image-generic-64k 6.5.0.21.20
linux-image-generic-lpae 6.5.0.21.20
linux-image-kvm 6.5.0.21.20
linux-image-laptop-23.10 6.5.0.1010.13
linux-image-oracle 6.5.0.1016.16
linux-image-raspi 6.5.0.1011.12
linux-image-raspi-nolpae 6.5.0.1011.12
linux-image-starfive 6.5.0.1008.10
linux-image-virtual 6.5.0.21.20
Ubuntu 22.04 LTS:
linux-image-6.5.0-21-generic 6.5.0-21.21~22.04.1
linux-image-6.5.0-21-generic-64k 6.5.0-21.21~22.04.1
linux-image-generic-64k-hwe-22.04 6.5.0.21.21~22.04.11
linux-image-generic-hwe-22.04 6.5.0.21.21~22.04.11
linux-image-virtual-hwe-22.04 6.5.0.21.21~22.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6651-1
CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,
CVE-2024-0582, CVE-2024-0646
Package Information:
https://launchpad.net/ubuntu/+source/linux/6.5.0-21.21
https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1014.14
https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1014.14
https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1010.13
https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1016.16
https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1011.14
https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1008.9
https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-21.21~22.04.1
Subscribe to:
Posts (Atom)