Tuesday, April 30, 2024

[USN-6760-1] Gerbv vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

==========================================================================
Ubuntu Security Notice USN-6760-1
April 30, 2024

gerbv vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 23.10
- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Gerbv could be made to crash if it opened a specially crafted input file.

Software Description:
- - gerbv: Gerber file viewer for PCB design

Details:

George-Andrei Iosif and David Fernandez Gonzalez discovered that Gerbv did
not properly initialize a data structure when parsing certain nested
RS-274X format files. If a user were tricked into opening a specially
crafted file, an attacker could possibly use this issue to cause a denial
of service (application crash).

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
gerbv 2.9.8-1ubuntu0.1

Ubuntu 22.04 LTS
gerbv 2.8.2-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 20.04 LTS
gerbv 2.7.0-1ubuntu0.2

Ubuntu 18.04 LTS
gerbv 2.6.1-3ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
gerbv 2.6.0-1ubuntu0.16.04.1~esm2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
gerbv 2.6.0-1ubuntu0.14.04.1~esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6760-1
CVE-2023-4508

Package Information:
https://launchpad.net/ubuntu/+source/gerbv/2.9.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gerbv/2.7.0-1ubuntu0.2

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYxdyoACgkQ3gXQmO/T
r3yNiQ/+KvuxjndpQCm6GeS+17sRUl3W93JhcMAbai01bJN+5OttDZyqm0pP8d7t
i9ZYyPBV4buYjfKcx2X4yHXRjaer1vctmyy9zxA7hcJd5yTaXU2xH8ks0Ei4rFbg
DM1rl3470ifaGH4/NTnM2iberSrgG8fbeGGDb3IUpWIQpMZp13PlIQp5dG++4hI1
CY9d5jdbp/FEH4sVdCozJmDBoZ/tdd7vn3HGXH1Y3i7Pw3RcOUNeNvBALIx81TnS
JkuFl6ttT194rptxm2151ZFWPNS609kusUd0lUTDWdgQm9Macw7F4RtRLqVGdnHJ
SZMWbrjKRq/VS0oItBPnEcUGkQ88kEH7tMPfnYB8f9L17B6jMiEI6NM4IgMt8fgM
Al3Un5x6V/nrTo7jUum/zAS1Ru5iq1EoGK7d794iIH96d8VD9yDejQIZgL0mSsaP
UxPNelvedu/pGjwd2AUo8Dm5G76J/Ah0zXZrkWkP8Ex6mLkOGLSR5zsj8Joj0ZRt
5neI8EtWTzeSMTKA4qW9YyUgM4nqz0T2jPE9VsCzIThxZLp5WM3WtKPAwzi1ITNL
oRwPcfulKUQfLdszRAJyVX5/zP821wlapS4O6ZsDBk6y3g30j8J95OmS+qpwWS3G
jSssybjnxb7nt9qV3gK2jboEo0Mv/YEhI4tEsF1UaDjLSDtvKfA=
=8lge
-----END PGP SIGNATURE-----

[LSN-0103-1] Linux kernel vulnerability

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

- linux - Linux kernel
- linux-aws - Linux kernel for Amazon Web Services (AWS) systems
- linux-azure - Linux kernel for Microsoft Azure Cloud systems
- linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke - Linux kernel for Google Container Engine (GKE) systems
- linux-ibm - Linux kernel for IBM cloud systems

Details

Lonial Con discovered that the netfilter subsystem in the Linux kernel
contained a memory leak when handling certain element flush operations.
A local attacker could use this to expose sensitive information (kernel
memory). (CVE-2023-4569)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel
did not properly handle inactive elements in its PIPAPO data structure,
leading to a use-after-free vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-6817)

It was discovered that a race condition existed in the AppleTalk
networking subsystem of the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2023-51781)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel
did not properly check deactivated elements in certain situations,
leading to a use-after-free vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2024-0193)

Lonial Con discovered that the netfilter subsystem in the Linux kernel
did not properly handle element deactivation in certain cases, leading
to a use-after-free vulnerability. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel
did not properly handle verdict parameters in certain cases, leading to
a use- after-free vulnerability. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2024-1086)

In the Linux kernel, the following vulnerability has been resolved: 
net: qualcomm: rmnet: fix global oob in rmnet_policy The variable
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-
bounds read when parsing the netlink attributes. (CVE-2024-26597)

Update instructions

The problem can be corrected by updating your kernel livepatch to the
following versions:

Ubuntu 20.04 LTS
aws - 103.1
aws - 103.2
aws - 103.3
azure - 103.3
gcp - 103.2
gcp - 103.3
generic - 103.1
generic - 103.2
generic - 103.3
gke - 103.3
ibm - 103.2
lowlatency - 103.1
lowlatency - 103.2
lowlatency - 103.3

Ubuntu 18.04 LTS
aws - 103.3
azure - 103.3
gcp - 103.3
generic - 103.3
lowlatency - 103.3

Ubuntu 22.04 LTS
aws - 103.1
aws - 103.2
aws - 103.3
azure - 103.1
azure - 103.2
azure - 103.3
gcp - 103.1
gcp - 103.2
generic - 103.1
generic - 103.2
generic - 103.3
gke - 103.1
gke - 103.2
gke - 103.3
ibm - 103.1
ibm - 103.2
ibm - 103.3

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS
kernel version will receive upgrades for a period of up to 9 months
after the build date of the kernel, or until the end of support for that
kernel's non-LTS distro release version, whichever is sooner.

References

- CVE-2023-4569
- CVE-2023-6817
- CVE-2023-51781
- CVE-2024-0193
- CVE-2024-1085
- CVE-2024-1086
- CVE-2024-26597

[USN-6758-1] JSON5 vulnerability

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQS9fIzo5cOslDRPrg+TiY1To8lzAQUCZjDjPwAKCRCTiY1To8lz
ASsFAQCqvTY7D2d9Gq8fdRPq+jX5oqI7hlgNRZCCeEjpdDLbiAD+MhesA5mwR2vi
j30QkrjggKR6hxLsK8EVJRZbHqNgwA8=
=NuMG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6758-1
April 30, 2024

node-json5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

JSON5 could allow unintended access to network services or have other
unspecified impact.

Software Description:
- node-json5: JSON for the ES5 era

Details:

It was discovered that the JSON5 parse method incorrectly handled the parsing
of keys named __proto__. An attacker could possibly use this issue to pollute
the prototype of the returned object, setting arbitrary or unexpected keys, and
cause a denial of service, allow unintended access to network services or have
other unspecified impact, depending on the application's use of the module.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
node-json5 2.2.0+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
node-json5 0.5.1-3ubuntu0.1

Ubuntu 18.04 LTS
node-json5 0.5.1-1ubuntu0.1~esm1
Available with Ubuntu Pro

After a standard system update you may need to restart any services that use
the library to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6758-1
CVE-2022-46175

Package Information:
https://launchpad.net/ubuntu/+source/node-json5/0.5.1-3ubuntu0.1

[USN-6761-1] Anope vulnerability

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEE5rkwSLC9ntq84w397Dtram9gyMMFAmYwsfUFAwAAAAAACgkQ7Dtram9gyMN+
9gf/RDZB+OWY0O7RGFqKAa7Qbj6FLBpfBdSsu/goYaxaKs2v8cTTx3DoQ0AO1X20BYjQOYNx7sq/
U8s4Xp3gTe2o3Mz8JtLRsZwW5WqUzy/ZVKOa1fhajt9ws7PiQuqjRfBujp2P26+wk5VQLun87wOl
B/vr32cBDZkI9WKfK0LLvahJDRbBYNpGomfHeVHzCQ8wCWuJuWD7qfJQ9QxzYrRJK79UNIIfokTU
zXpHT2T90Nu2/DMRHHfqbZ4croAxvYHT1dU0mk7KbToWFKM+hvorvgeqYCbWsY8QKE74TglTKJ/I
sIoC8eEIw4CagVMv1l0lppXBzx9L8mkEYYZ4aznPtQ==
=IUQa
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6761-1
April 30, 2024

anope vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Anope could be made to bypass authentication checks for suspended accounts.

Software Description:
- anope: an open source set of IRC Services

Details:

It was discovered that Anope did not properly process credentials for
suspended accounts. An attacker could possibly use this issue to normally
login to the platform as a suspended user after changing their password.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
anope 2.0.12-1ubuntu1

Ubuntu 23.10
anope 2.0.12-1ubuntu0.23.10.1

Ubuntu 22.04 LTS
anope 2.0.9-1ubuntu0.1

Ubuntu 20.04 LTS
anope 2.0.6-1ubuntu0.1

Ubuntu 18.04 LTS
anope 2.0.4-2ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
anope 2.0.3-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6761-1
CVE-2024-30187

Package Information:
https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu1
https://launchpad.net/ubuntu/+source/anope/2.0.12-1ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/anope/2.0.9-1ubuntu0.1
https://launchpad.net/ubuntu/+source/anope/2.0.6-1ubuntu0.1

Monday, April 29, 2024

[USN-6759-1] FreeRDP vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYv2a4ACgkQZWnYVadE
vpNzSA//dtugN8vKOLivTWFOhK6rfxm6TbPVJTY/XrwfAxNedFzu3h3zk3Q6Nk+t
XnF4lA7IKmYOLr7MpXl2+tjeLSxPx7PyDdxosg9Cle0cMX4BfdA+FxLz3MPltadF
uup3CcNMPOaZsVNkM3ETmiEkZfzs06Bi0cwuPhvSjj6abBmHy6rJMryokarGZ5Ng
msbAnVz494QuAeC/fmbqoGINOdRNTrQQw9PVRqIAt81zHcCNqlxSL+KS+C2FNk91
uCYHat1Wh9OYEl9uK2gphh1G+6koQvxP6cG8Bu3c0JsaBZ4gBmxCuM40E3pvAquH
4g0IUnWfgOFAyy8yIcn/sLP5u5XkLN7pC5hY7Oa/NY7692+Yka8aCWMhwSV8aE4f
HncTXPPyW90RvzzWDxEltmp7fCCYkfVpByPj9XIspp5yvBhweJwui806JDoh/6oE
5yaVCubQ5cpe3yEAJSJTYBVRl08jo2Xrvyy1LWRcUOS9rE+Mb1pzNmbc2tM//RSJ
7DP7aPM/xBmWetOOtZUHZQ2KCjFcE8aoirRNXpB3xWOk9l/Nw57LBUZWlfP/zkga
OQDtFJQms5FNEjk8HzXdNQzGWxla2YP6QT8QbbG0lu2kP9iZimdyQOBpb29lrRwl
BznXDzzjrV2TbjBGPnoHNpbdzAChqJRKTnnLUR9PnMcMOt1uHvw=
=OCku
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6759-1
April 29, 2024

freerdp3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in FreeRDP.

Software Description:
- freerdp3: RDP client for Windows Terminal Services

Details:

It was discovered that FreeRDP incorrectly handled certain memory
operations. If a user were tricked into connecting to a malicious server, a
remote attacker could possibly use this issue to cause FreeRDP to crash,
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libfreerdp3-3 3.5.1+dfsg1-0ubuntu1

After a standard system update you need to restart your session to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6759-1
CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661,
CVE-2024-32662

Package Information:
https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1

[announce] May 1 NYC*BUG: Demystify ZFS Replication

Demystify ZFS Replication With a Safe and Powerful Approach, Daniel
J. Bell
2024-05-01 @ 18:45 EDT (22:45 UTC) - NYU Tandon Engineering Building
(new), 370 Jay St, 7th Floor kitchen area, Brooklyn (directly across Jay
St from National Grid office). Closest subway exits in order are Jay St
- MetroTech Station (A, C, R, & F Trains) Borough Hall (4 & 5 Trains).

Notice: You should RSVP for this meeting at rsvp AT
lists.nycbug.org. You should receive an autoresponse email. Your email
address is sufficient verification for entry.

ZFS is theoretically a powerhouse for data protection and
performance, but only if you can dodge its many traps. I'll demonstrate
the common ZFS pitfalls and their solutions, along with practical
strategies to simplify and scale your backups. I'll also introduce
Zelta, a toolkit of management scripts built on Unix fundamentals
designed to help you master ZFS with finesse.

Daniel J. Bell is the CEO of Bell Tower Integration, an NYC-based IT
consultancy with over two decades of experience. A FreeBSD aficionado
for over 25 years, he's all about making advanced systems approachable.
Catch up or learn more about Zelta at https://zelta.space

Offsite Participation: We plan to stream via NYC*BUG Website unless
the speaker requests otherwise. Q&A will be via IRC on Libera.chat
channel #nycbug - Please preface your questions with '[Q]'
_______________________________________________
announce mailing list
announce@lists.nycbug.org
https://lists.nycbug.org:8443/mailman/listinfo/announce

[USN-6757-1] PHP vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6757-1
April 29, 2024

php7.0, php7.2, php7.4, php8.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-4900)

It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to cookie by pass.
(CVE-2024-2756)

It was discovered that PHP incorrectly handled some passwords.
An attacker could possibly use this issue to cause an account takeover
attack. (CVE-2024-3096)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
libapache2-mod-php8.1 8.1.2-1ubuntu2.16
php8.1 8.1.2-1ubuntu2.16
php8.1-cgi 8.1.2-1ubuntu2.16
php8.1-cli 8.1.2-1ubuntu2.16
php8.1-fpm 8.1.2-1ubuntu2.16
php8.1-xml 8.1.2-1ubuntu2.16

Ubuntu 20.04 LTS
libapache2-mod-php7.4 7.4.3-4ubuntu2.21
php7.4 7.4.3-4ubuntu2.21
php7.4-cgi 7.4.3-4ubuntu2.21
php7.4-cli 7.4.3-4ubuntu2.21
php7.4-fpm 7.4.3-4ubuntu2.21
php7.4-xml 7.4.3-4ubuntu2.21

Ubuntu 18.04 LTS
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6757-1
CVE-2022-4900, CVE-2024-2756, CVE-2024-3096

Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.16
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.21

[USN-6744-3] Pillow vulnerability

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEE5rkwSLC9ntq84w397Dtram9gyMMFAmYvnBYFAwAAAAAACgkQ7Dtram9gyMOE
UAf7BadQlTXEDh90eg7RpfbBh+4l5FQJHy7/6EASyQBRcQfD6SRMN9EeByjSIQIsJCYrU2THqW2m
+ZWcuF//XSR/XqxCU09JX/frnySm3btH/VCT1xEkEg2EEJ+MLgTvQ0ZWde7CxOcxmrj7RpRJnNAQ
RZEOoBLLLturLzNp6GgNDol/dLE5NwuNR9l5IDfA6t022+sk03c0HDfPypTSmXB0MfxiuZjB+Q3O
D3ekmGOTtSelDxff6WLXwZk/LpjBHN711kITwiYIulNjszs4D8iN6Z4P3QTDgBLnv2n8fy14vm3J
h4AErMF9745BTEQWKnNL0g9r8QDin2hZhZ2MYoCCYw==
=6Vmz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6744-3
April 29, 2024

pillow vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Pillow could be made to crash or run programs as an administrator
if it opened a specially crafted file.

Software Description:
- pillow: Python Imaging Library

Details:

USN-6744-1 fixed a vulnerability in Pillow. This update
provides the corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

Hugo van Kemenade discovered that Pillow was not properly performing
bounds checks when processing an ICC file, which could lead to a buffer
overflow. If a user or automated system were tricked into processing a
specially crafted ICC file, an attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
python3-pil 10.2.0-1ubuntu1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6744-3
https://ubuntu.com/security/notices/USN-6744-1
CVE-2024-28219

Package Information:
https://launchpad.net/ubuntu/+source/pillow/10.2.0-1ubuntu1

[USN-6734-2] libvirt vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYvlgsACgkQZWnYVadE
vpMPGxAAjWzuvPnn74lpXEPBgNPNwp7f5QzB5Ikot36/xLD2Bgj4r9UmruS+3uoA
pd8oG7mwYXlV/JJhG7A1npb2sEHz/NkMxB8UEer2sHg4VGxQ74ATZVRBX2H6KCo1
l2/ZC7hHlvLe7cv1ki+Vb3R7723SG+t0CQWQK5Vm6pOLIcFErpCIYydgPHppHmoe
O5e1dwZDy4KTHMwIi+6D/ttZF0W77Od1QxOr5QmOwgufXd/8Q+PVElFqki+HY1Vo
p42vLvxglHSFgVuJD4RXGwZtywTiitGF1JGOMk+JaVNNiv2QfFZ1oLpWoJCD9GDu
o9Qeigq2r177xO8I1Wl+0/ZubSMG+TeKoiU/h/4fDh3hqogYIIJaQwVy0IpfKzc7
/6KKJwbwQYmKVYHgPXdBxcJzY/DYud63H/7B9Ab1T8IXgPk+Fp54Ilj7tvdJV/f2
NWC+1w9OJOiXv0Pd2IQlVQO8kuxoHQDa8WC7n0vudGsq+fkU+V2mi2pxps/Zpqb5
nJ1ypmIVvpplZAVC3J4lOnjrGbuvDB0/quCjRgXWy5XK6KMxS1YAVndmo0L+hlNv
chiENXSzQCfshsBrrczjfDVw5zMLeSDsVbXHAX1fJ3aB8RcElU4RLKyoW4aNtpRy
JMhIT5FnxcKEJDIujvAA0c5NmfiNnxF1tSppLpPmnZC7MH0dG+M=
=gl4R
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6734-2
April 29, 2024

libvirt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in libvirt.

Software Description:
- libvirt: Libvirt virtualization toolkit

Details:

USN-6734-1 fixed vulnerabilities in libvirt. This update provides the
corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

Alexander Kuznetsov discovered that libvirt incorrectly handled certain API
calls. An attacker could possibly use this issue to cause libvirt to crash,
resulting in a denial of service. (CVE-2024-1441)
It was discovered that libvirt incorrectly handled certain RPC library API
calls. An attacker could possibly use this issue to cause libvirt to crash,
resulting in a denial of service. (CVE-2024-2494)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libvirt-daemon 10.0.0-2ubuntu8.1
libvirt-daemon-system 10.0.0-2ubuntu8.1
libvirt0 10.0.0-2ubuntu8.1

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6734-2
https://ubuntu.com/security/notices/USN-6734-1
CVE-2024-1441, CVE-2024-2494

Package Information:
https://launchpad.net/ubuntu/+source/libvirt/10.0.0-2ubuntu8.1

[USN-6718-3] curl vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYvldsACgkQZWnYVadE
vpPXMA//QmOM/MuXE0x56WyKbSwXaIbdzaOAtDkfySLIRzjQ6v3GJxcWulvnm/6D
a8cl5BE/Xwe7vnHocNb1aPxDR+aKd6coO+zhjb31FBNUt6rqhvWnD9d+zDcu8dxG
p9sJMUwa3iJFqn0HvH1lx0vR9qqcagnibE6G74ed8JajoUfh57aHGQCdJqYtmSsk
bzRFbih20Sp4jKWDFATZDflz6iyn7WZHVOZtI+vCMwKT3icfUBvJ2jNcTPPKQJDR
lj86YttJaqUfi0r3WoniXYlPeTiFBW03n87/5YFtEuFNZbYoa2+BIH2hGD0pR8jw
r6Wj2kJQ0AlWH+GShE4EH2SwE9y+P7Xmoivo3PDDIoE6UuSUa+J+2vnyBJgLDeqV
Ap37UvBApHhPNIQ83MYMQlCCH8PHK5wjYJJiKdPSHdrLSa3e6b+PHYhdIQNAnr17
2AQLDOrex7FysBc1EAYJ4aaXQi+S+dHv6f7rVKXeyQ7eYJjAgK25wfqS8nUb9Yl7
t58kOknaJAD8UJ2UVuAX2BglDmpnpU4uyXWap8jgNi64rdwCs6Eq6MG5nOdjAOf6
rXyeObTYRLpK4KaauKjAoxmpcBssW0YTNs5ViWqFtGnCBadeaKYMoK6hurDdAcFo
AY3bl0KxkEy1KkDmpBUxWbejk7lmey5dMhjllD6kATVEFR4wrjE=
=RcQT
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6718-3
April 29, 2024

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

USN-6718-1 fixed vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.1
libcurl3t64-gnutls 8.5.0-2ubuntu10.1
libcurl4t64 8.5.0-2ubuntu10.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6718-3
https://ubuntu.com/security/notices/USN-6718-1
CVE-2024-2004, CVE-2024-2398

Package Information:
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.1

[USN-6733-2] GnuTLS vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYvlfQACgkQZWnYVadE
vpNlwg/8Cq4Q7BfpElCRf/M0k2dmaKOGyxEF0iQ9bLowO0t2nF63FGehR1pbQE6E
AaoQruOXra1SiwVROi50QHGBLxG5BkHY1/2BQYZ5gY6FJXdBFcT2SD9fvtRyVZUI
BciiTGZOHKnX3eI7mnl01xzITafqeFmqral0/PJEvzWvYti7B4P3lUTUFxhE8/T5
GgBAjIYtydFHGEyAPqxd/JABOh1JaxVUhX4Bv5vZmHF8XdjtYkT/BFGW6LGZiYnV
fXG924rhqeDq+4C31YTkFG+6UcKz1p+zlshLtuPS6c/cXlPHlf6wQpYl3Eh8KcL/
JxJ40GkY++1prAoiO7nEAMeGMeMn0L7pLhFlgu/7yKdb4D9IOJ2cLo52chNk/Pbt
5brBdlg1rxGdFmpe0gAIqShHuyFijihf1uUg+4MaBEdBAMfzlMxGRJS7rBvata4l
XCLpXkNr2PYRbv8OByaxQdwIDZXARGQMj70sRQqp1Nwj0wSEcR963snHvSW9PeQz
hqZpCF2fNPmc5yM4XY5AU2ePyyl/fEZqNG6+tA2WKVUIBNUXQc60fQO+KXhISi+W
FU8h3OBBWW1JlEqkaTdalKqmUp5uXeDVHk6QlGQfU0YspYAOru42EZqITJdLUDRv
wRtJXd56/2haSAxzQeXPZJjUWQUaDGTPFw3M0Znw3s+kvopvav8=
=1ng0
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6733-2
April 29, 2024

gnutls28 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:
- gnutls28: GNU TLS library

Details:

USN-6733-1 fixed vulnerabilities in GnuTLS. This update provides the
corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

It was discovered that GnuTLS had a timing side-channel when performing
certain ECDSA operations. A remote attacker could possibly use this issue
to recover sensitive information. (CVE-2024-28834)
It was discovered that GnuTLS incorrectly handled verifying certain PEM
bundles. A remote attacker could possibly use this issue to cause GnuTLS to
crash, resulting in a denial of service. This issue only affected Ubuntu
22.04 LTS and Ubuntu 23.10. (CVE-2024-28835)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libgnutls30t64 3.8.3-1.1ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6733-2
https://ubuntu.com/security/notices/USN-6733-1
CVE-2024-28834, CVE-2024-28835

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.8.3-1.1ubuntu3.1

[USN-6729-3] Apache HTTP Server vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYvlcYACgkQZWnYVadE
vpMqQg//XFtwInrGfC77k52V7XiehdeqDPsImgovutWSF6DDHLeSJPAwVPGgwrBv
nifxHng189tO9wVQjEy+18cV2GWnch0fbWcW72hBZjxu57FVXgcrBz9/N3QfoPTL
nwW3xZjbmF55reQk9dGc2OcXX9BVm0+cfZQTphLeDQJ7ATKg3/2wYpj8xbgP6I13
pJQiDpGy9BD/1jGWAQBIaRBn/+nQ1ZCAwTOAUnY/AxkrRl/GGZ8Z1/n5HYWL6qF8
3YVxa7WfQDiswwjwuPsfmZhxcPSh7wiyaCAX46IQRv0lK059x2mL7Cm8porTJVkM
l6nQkoCvjKs+9R0lHuOfp1YszF7c3KYjG5VOxT35WinYpaWIauoVXVOKW/5v6qnh
wkSgpBWAwM36eC8e5wKkhF6tIe0V3cr051fGMDRVhASGuVCOFXxI+BqAMNMO3AYW
dpYIfhIL6ndpOBRDUeRP8lVaK4HXhoQTYvbfaYgrZpGgHZ8FA6khOyJ8H+fn0tJw
FpT0moXOXtJx2ar2O5jFGMhmHpsVJ4z6MaltWPmwnEfD32QcmI8fZ+j3QAXJi0lJ
FfSslHGLAtF9QxjA19w92fd2ouMCPZE8BGztKA8256WGpXHbXdYDitofiEGUe0IK
xUAWk7AqI0o3F18NXd9qE/XQqONEKynrs9OVux4C/+B7YgaiCIw=
=sODx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6729-3
April 29, 2024

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

USN-6729-1 fixed vulnerabilities in Apache HTTP Server. This update
provides the corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)
Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)
Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
apache2 2.4.58-1ubuntu8.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6729-3
https://ubuntu.com/security/notices/USN-6729-1
CVE-2023-38709, CVE-2024-24795, CVE-2024-27316

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.1

[USN-6737-2] GNU C Library vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYvlawACgkQZWnYVadE
vpPwCRAAmfvXvwql4oGI4EpDGbzvci0oaBZEZ6wx99fyHrhL8gDmDoBTF3nCbTxu
Mnz0oaN+c0yaTVDk52QaxwVB6Eg/Up+hqeCkFQ0MViy7jhZ5CQ0iEq2uDfVJn+mw
tfcw5URXd17T0Q8dRpAedDi32Hk1NjGZjUhoBEzDLRbd19vnVjmhTFWSJn1kMI9P
v+ipW/JHkP2C7umH3yXEjx9zNTvBbs4y4y0b+TcEHkOECe2j7ORlk9Krb+lM6Yum
lZP1Zjg0ujZ1vDQYIQonxcc9LLuUgBLk/haojfGrwu9ry02hoi5Y71zGIoVxDn2g
A0q4sQVFkUFCIGPd/pqlw+yq2mKMSAGTiAxy3veYrGz6+ZHnr4XjCNuTMHEq9mGK
zw/MSp5iz+X4KVV3aPwqVoznw69+ShFLa26ek5aElo8VE0mdyCvguSn2T5QEWyyd
2figbNAqYp6kEoxRrwVfb3QIxD6UbIaDO4rwditONV3uZuZsk0g/qc+xGhxsNSGq
yGu2keT0qAfV8S8Zsvviff8mZY91JJ/0uecFn2vj6KST5FnhJ0AQXHB+FCoAaEMj
dJ4WK1gGkA+mwqZp3sjrTvZNqAEwXKvdCP6uwKl9LV7JsN5w9EAPENSMUsww/NSy
3LQblA86gSS5lQj9MARu29CEVuxxSlsxYHjTNBb2g83ZrRprnDs=
=P3a3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6737-2
April 29, 2024

glibc vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

GNU C Library could be made to crash or run programs if it processed
specially crafted data.

Software Description:
- glibc: GNU C Library

Details:

USN-6737-1 fixed a vulnerability in the GNU C Library. This update provides
the corresponding update for Ubuntu 24.04 LTS.

Original advisory details:

Charles Fol discovered that the GNU C Library iconv feature incorrectly
handled certain input sequences. An attacker could use this issue to cause
the GNU C Library to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libc6 2.39-0ubuntu8.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6737-2
https://ubuntu.com/security/notices/USN-6737-1
CVE-2024-2961

Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.1

[USN-6756-1] less vulnerability

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmYvhXwFAwAAAAAACgkQCAvK1QvD6SCC
fA//YNHd3503LCHEbmnIQWFWzmdzN3XElDtrhQ/SCLccrfyIfJIfOv+GB1cJs/VGZIH08MCSPeex
mQroLe+57OYTEZwSErIlnrOF+/5QbndgR1OAkAB3i6rN97ep9u9V29Yej9cyiGXGuonYR7Pj0K3b
SavP59IdTvk2/gl+pFEuXxQnbHtMnl/lMCtppgwgIwco0u+Ui88TLTAMmRyd40hlho0NLa8JTSZk
NxoXuD4Gmx43GWmUwH4xVeZbGNvBq6OjqVqlKL7MTAqhio55rC4idOCoC/cIXjejWtCBB/d6eu+Y
W1XprL8RNiXHPLBAuVpF64rTg7QbhYvgp/kFk5xVDorN6GhWA6mf8llEtuDf3i4hSfl3xiDt9xUP
Bvg9u016L6apMRY2pfxLuoRno7FamqfQZVwiZqWOedc7ipSQyExnRTo9wSqgAPz+CN7BuzTa01nA
uFVk6UKcAHhkWoDOXthObzpbMYV0xBF+SXBuJLUysCVdzjCKA3RvE+y6E3wIlB0FpwFSF7gT4XTU
OQAM+hbxKlJAjhrrX0WGEVIuJLrilc5V8Fyh1QlyI3I5jfeTDggYifHTdM7Khtnyb3+cqOjf1YGr
CuM0e2oAPWA3LcGGqwhfcVW/Rlvgs0HWFxWikb47PtPIKsu11ed+OaIQov0KAL5T2ZtpWjl5lo4b
sVc=
=Gsqs
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6756-1
April 29, 2024

less vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

less could be made run programs as your login if it opened a specially
crafted file.

Software Description:
- less: pager program similar to more

Details:

It was discovered that less mishandled newline characters in file names. If
a user or automated system were tricked into opening specially crafted
files, an attacker could possibly use this issue to execute arbitrary
commands on the host.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  less                            590-2ubuntu2.1

Ubuntu 23.10
  less                            590-2ubuntu0.23.10.2

Ubuntu 22.04 LTS
  less                            590-1ubuntu0.22.04.3

Ubuntu 20.04 LTS
  less                            551-1ubuntu0.3

Ubuntu 18.04 LTS
  less                            487-0.1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  less                            481-2.1ubuntu0.2+esm2
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  less                            458-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6756-1
  CVE-2024-32487

Package Information:
  https://launchpad.net/ubuntu/+source/less/590-2ubuntu2.1
  https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.2
  https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.3
  https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.3

[USN-6755-1] GNU cpio vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmYvhSwFAwAAAAAACgkQCAvK1QvD6SCZ
/xAAmbLVsQI56rS7WfgB76TPof8gzq3P6QArl6IYcgdx/h6GNJdKGQlJ1+M9i49jXLQLhmlRevci
3QGOxNuhso9Zz0sW16tD/EfvBFkbfwYj1922T9O3sWQ8OVtMwvB5jEjem7mb03h1r9dHai3vI7+A
drm2SLG9Nc5EVOQ6lplliPMLSDop/37Fnjvrk5AQXQSao1vwLBolThI5MP2OeY/iFj5zl28Hlu3Q
0obin6Uf1UjISb3hjt3GuuZviN3ipGUzpSAl8tPGsX1WuI2orZ5rKHaaq4YWbc0sef6bian6046N
q0vtLDb2ITdIxfcUrqWGEkSLTAUZoohNwiYCZCXGWHl31MMMqtEX2KmrOBXh3s9sTLO1IdPg6LLC
psZSfWLwLKOGgaiafM5vboLGlgRTVPzNnaw5XEyH3J9s4jQ46rmAjiYiprf4f7mnIicL7lIke4hv
klnnkgRBHOoP1P/qMWVwBuignxJrtGDg56SBi7Xu701TvE6FDYL/tREAimkwmisBF84HC5CmuYoy
qZiAEU/io6i1bAqT+K1VLkqBDYiAIf1WSiRHgD8jcJteUnm5q2e04kjaP0dvSdwXtaN5Mmh3BjT3
g4P5g3+9R3N04OGFDuR+cm6asfAWs/FPpAhC/OtMpdYw8icEM6v77QodwNvRRIryG1pvHlpNwfEU
zMM=
=/kl6
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6755-1
April 29, 2024

cpio vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

GNU cpio could be made to write files outside the target directory.

Software Description:
- cpio: a tool to manage archives of files

Details:

Ingo Brückl discovered that cpio contained a path traversal vulnerability.
If a user or automated system were tricked into extracting a specially
crafted cpio archive, an attacker could possibly use this issue to write
arbitrary files outside the target directory on the host, even if using the
option --no-absolute-filenames.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  cpio                            2.13+dfsg-7.1ubuntu0.1

Ubuntu 22.04 LTS
  cpio                            2.13+dfsg-7ubuntu0.1

Ubuntu 20.04 LTS
  cpio                            2.13+dfsg-2ubuntu0.4

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6755-1
  CVE-2023-7207

Package Information:
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7.1ubuntu0.1
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7ubuntu0.1
  https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-2ubuntu0.4

Sunday, April 28, 2024

F41 Change Proposal: Node.js 22.x by default (system-wide)

Wiki - https://fedoraproject.org/wiki/Changes/Nodejs22
Discussion thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-node-js-22-x-by-default-system-wide/114740

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
The latest release of Node.js to carry a 30-month lifecycle is the
22.x series. As with 20.x, 18.x 16.x, 14.x, 12.x, 10.x and 8.x before
it, Fedora 41 will carry 22.x as the default Node.js interpreter for
the system. The 20.x, and 18.x interpreters will remain available as
parallel-installable options.


== Owner ==
* Name: [[User:Sgallagh| Stephen Gallagher]]
* Email: sgallagh@fedoraproject.org
* Responsible SIG: Node.js SIG


== Detailed Description ==
Fedora 41 will ship with the latest LTS version of Node.js. '''dnf
install nodejs''' will give users Node.js 22.x and the matching npm
package.

== Benefit to Fedora ==
Node.js is a popular server-side JavaScript engine. Keeping Fedora on
the latest release allows us to continue tracking the state-of-the-art
in that space. For those whose applications do not yet work with the
22.x release, Fedora 41 will also have the 20.x and 18.x releases
available as selectable module streams.


== Scope ==
* Proposal owners:

We will build Node.js 22.x in Rawhide over the next few days as a
non-default version (similar to 18.x in Fedora 40). Once this is done,
we will announce that the switch will occur on or soon after May 27th,
2024. At that time, we will rebuild Node.js 20.x in non-default mode
and rebuild Node.js 22.x as the default "nodejs" package with the
appropriate upgrade path.

* Other developers:
Any developer with a package that depends on Node.js at run-time or
build-time should test with the 22.x alternative package as soon as
possible. Issues should be reported to nodejs@lists.fedoraproject.org.

* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)


== Upgrade/compatibility impact ==
Users running Fedora 39 or Fedora 40 with the nodejs-20 packages will
be automatically upgraded to the 22.x packages when they upgrade to
Fedora 41, which may cause compatibility issues. If users are running
software known not to support Node.js 22.x yet, they will need to
install the nodejs18 compatibility packages and possibly modify their
startup scripts to call `/usr/bin/node-18` rather than
`/usr/bin/node`.


== How To Test ==
* Confirm that `dnf install nodejs` results in Node.js 22.x being installed.
* Confirm that upgrading from Fedora 39 or Fedora 40 with nodejs-20.x
installed results in an upgrade to nodejs-22.x
* Confirm that upgrading from Fedora 39 or Fedora 40 with the nodejs22
package installed results in an upgrade to the nodejs-22.x package,
obsoleting the nodejs22 package.

== User Experience ==
Users will have the 22.x release of Node.js available by default. See
the "Upgrade/compatibility impact" section for specific details.


== Dependencies ==
All packages prefixed with `nodejs-` depend on this package. If they
do not work with Node.js 22.x, they will need to be updated, or made
explicitly dependent upon the `nodejs20` compatibility package or else
removed from Fedora 41.

Prior to the switchover date to Node.js 22.x as the default, packagers
are strongly encouraged to test their existing Node modules with 22.x
by installing the nodejs22 forward-compatibility package (which
provides `/usr/bin/node-22`


== Contingency Plan ==
* Contingency mechanism: Revert to Node.js 20.x as the default Node.js
interpreter. This will require bumping epoch.
* Contingency deadline: Beta Freeze
* Blocks release? No
* Blocks product? No

== Documentation ==
* https://nodejs.org/dist/latest-v22.x/docs/api/
* https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V22.md
* https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js/

== Release Notes ==
Fedora 41 now ships with Node.js 22.x as the default Node.js
JavaScript server-side engine. If your applications are not yet ready
for this newer version, they will need to be modified to depend on the
compatibility package nodejs20 and to rely on `/usr/bin/node20` rather
than `/usr/bin/node` for operation.


--
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

F41 Change Proposal: Perl 5.40 (system-wide)

Wiki - https://fedoraproject.org/wiki/Changes/perl5.40
Discussion Thread -
https://discussion.fedoraproject.org/t/f41-change-proposal-perl-5-38-system-wide/114739

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
A new ''perl 5.40'' version brings a lot of changes done over a year
of development. Perl 5.40 should be released on May 20th 2024. See
[https://metacpan.org/release/PEVANS/perl-5.39.9/view/pod/perldelta.pod
perldelta for 5.39.9] for more details about new release.

== Owner ==
* Name: [[User:Jplesnik| Jitka Plesníková]], [[User:Mspacek| Michal
Josef Špaček]]
* Email: <jplesnik@redhat.com>, <mspacek@redhat.com>


=== Completed Items ===

=== Items in Progress ===

=== Items to Be Done ===
* Get dedicated build-root from rel-engs ''f41-perl''
* Upstream to release Perl 5.40
* Define perl_bootstrap in perl-srpm-macros
* Rebase perl to 5.40.0
* Rebuild all dual-lived packages (83) - otherwise dnf recommends
--skip-broken and fails
* Rebuild packages needed for minimal build-root
* Rebuild packages needed for building source packages from git repository
* Rebuild packages requiring ''libperl.so'' or versioned
''perl(MODULE_COMPAT)'': Use Fedora::Rebuild dependency solver
* Undefine perl_bootstrap
* Rebuild packages having perl_bootstrap condition in spec file (51 packages)
* Rebuild all updated packages
* [https://jplesnik.fedorapeople.org/5.40/ Final lists of results]
* Merge dedicated build-root to rawhide and remove the dedicated one by rel-engs
* Synchronize packages upgraded in ''f41'' build root
* Rebuild Perl packages: 0 of 606 done (0.00 %)
* Failed packages (0):

== Detailed Description ==
New perl is released every year and updates containing mainly bug
fixes follow during the year. The 5.40.0 version is stable release
this year.

== Benefit to Fedora ==
Up-to-date and latest perl release will be delivered to Fedora users.

== Scope ==
Every Perl package will be rebuilt in a dedicated ''f41-perl''
build-root against perl 5.40.0 and then if no major problem emerges
the packages will be merged back to ''f41'' build-root.

* Proposal owners: New perl and all packages requiring ''libperl.so''
or versioned ''perl(MODULE_COMPAT)'' will be rebuilt into ''f41-perl''
build-root.

* Other developers: Owners of packages that fail to rebuild, mainly
perl-sig users, will be asked using Bugzilla to fix or remove their
packages from the distribution.

* Release engineering: [https://pagure.io/releng/issues #Releng issue
number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Release engineers will be asked for new ''f41-perl'' build-root
inheriting from ''f41'' build-root. After successful finishing the
rebuild, they will be asked to merge ''f41-perl'' packages back to
''f41'' build-root.

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with Community Initiatives:

== Upgrade/compatibility impact ==
Vast majority of functionality will be preserved. Only the packages
that failed to build against perl 5.40 will be removed from the
distribution. That will require to remove those packages from the
existing systems otherwise a package manager will encounter
unsatisfied dependencies. The developers in Perl language are advised
to install ''perl-doc'' and ''perl-debugger'' packages.

== How To Test ==
Try upgrading from Fedora 40 to 41. Try some Perl application to
verify they work as expected. Try embedded perl in
[https://src.fedoraproject.org/rpms/openldap slapd] or
[https://src.fedoraproject.org/rpms/net-snmp snmpd].

== User Experience ==
There should not be any remarkable change in user experience. With the
exception that previously locally installed modules with a CPAN
clients will need a reinstallation.

== Dependencies ==
There is more than 3500 packages depending on perl. We will rebuild
only all dual-lived packages and packages which require ''libperl.so''
or versioned ''perl(MODULE_COMPAT)''. It means only about 600 packages
needs to rebuild. Most of them are expected not to break. Finishing
this change can be endangered only by critical changes in a toolchain.
''noarch'' packages don't need to be rebuilt now.

== Contingency Plan ==
* Contingency mechanism: If we find perl 5.40 is not suitable for
Fedora 41, we will revert back to perl 5.38 and we drop the temporary
build-root with already rebuilt packages.
* Contingency deadline: branching Fedora 41 from Rawhide.
* Blocks release? No.

== Documentation ==
* 5.40.0 perldelta
* An announcement on perl-devel mailing list
* An announcement on fedora-devel mailing list

== Release Notes ==
TBD, when release candidate appears.

--
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Thursday, April 25, 2024

[USN-6754-1] nghttp2 vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE2WgtvmwmcgaEBLlnCAvK1QvD6SAFAmYq2WEFAwAAAAAACgkQCAvK1QvD6SCJ
axAAxBNnOQJivOjjX38UUZUf+7FOkcHYumUJcOaDxu5sVqMiOJ3TiBBcLon17vKIBD9E+tH3i7oM
jv3LKNV5/TSBlUz+bVeZTVX6ASy9ZpDv+1M5cT9NmSwymR7hqOXaxyQuyHMtPWjyP+vBOi90DGix
hnLmcFrLKaMjy3PcDOfMmwm5nTvN5K5KebIesSOxUM8zjcNXoR6pD5TlLaNL4XDmjmcisGiG2EUd
Z3FS1QiiR9SipcJIF8dbjeKgbAokHN83ObaVICyH8SDgKY3skiDLn5RGfhyekQe2A33/4eSeFUjw
7ZrRrYI5bRPixC709KLY/ZnJLtOq8fKGvhhsdhZRPu8RpZnYMyj42h2K4lEs1MkiJgCBaEWNXcbT
BhkUC2a3l5sZacbhaNxVawikwemGTJoSCipmw5LvyHCUt1FTA4mil9sWNELcO/wTt8y6qGyvkJ8u
JJ+xDplNTsij4Ak43sS07/fi3+Iy9Rn7fPgkHobcWihivGyZ6E0/yA+JQQxmhpGfnrOav5VAcUw4
W5j///8ViD+zKUMlFvmIS7X2r/H6Ch1HxqHS1sHjSYNCyzJqc9tcwPBCo566UC1MGj1bPpJ2HsKp
529dego8AVvj9p+4Q9IxdpO5NJbG1nL828AHHOcSzNtVzWkalBwISO1P3Dq+iwHZemqIfWcz/tx4
r1U=
=Pxdl
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6754-1
April 25, 2024

nghttp2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in nghttp2.

Software Description:
- nghttp2: HTTP/2 C Library and tools

Details:

It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)

It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)

It was discovered that nghttp2 could be made to process an unlimited number
of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this
issue to cause nghttp2 to consume resources, leading to a denial of
service. (CVE-2024-28182)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  libnghttp2-14                   1.55.1-1ubuntu0.2
  nghttp2                         1.55.1-1ubuntu0.2
  nghttp2-client                  1.55.1-1ubuntu0.2
  nghttp2-proxy                   1.55.1-1ubuntu0.2
  nghttp2-server                  1.55.1-1ubuntu0.2

Ubuntu 22.04 LTS:
  libnghttp2-14                   1.43.0-1ubuntu0.2
  nghttp2                         1.43.0-1ubuntu0.2
  nghttp2-client                  1.43.0-1ubuntu0.2
  nghttp2-proxy                   1.43.0-1ubuntu0.2
  nghttp2-server                  1.43.0-1ubuntu0.2

Ubuntu 20.04 LTS:
  libnghttp2-14                   1.40.0-1ubuntu0.3
  nghttp2                         1.40.0-1ubuntu0.3
  nghttp2-client                  1.40.0-1ubuntu0.3
  nghttp2-proxy                   1.40.0-1ubuntu0.3
  nghttp2-server                  1.40.0-1ubuntu0.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libnghttp2-14                   1.30.0-1ubuntu1+esm2
  nghttp2                         1.30.0-1ubuntu1+esm2
  nghttp2-client                  1.30.0-1ubuntu1+esm2
  nghttp2-proxy                   1.30.0-1ubuntu1+esm2
  nghttp2-server                  1.30.0-1ubuntu1+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libnghttp2-14                   1.7.1-1ubuntu0.1~esm2
  nghttp2                         1.7.1-1ubuntu0.1~esm2
  nghttp2-client                  1.7.1-1ubuntu0.1~esm2
  nghttp2-proxy                   1.7.1-1ubuntu0.1~esm2
  nghttp2-server                  1.7.1-1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6754-1
  CVE-2019-9511, CVE-2019-9513, CVE-2023-44487, CVE-2024-28182

Package Information:
  https://launchpad.net/ubuntu/+source/nghttp2/1.55.1-1ubuntu0.2
  https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.2
  https://launchpad.net/ubuntu/+source/nghttp2/1.40.0-1ubuntu0.3

[USN-6753-1] CryptoJS vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGYUCwcBCADePknZsI3jVCSYTZlTCqJ3mqJoaiNyxyz7rRXxhJIfWNnutXI7
IdI8e/9xORO+hC3efLRn1ZMluxQIhcVo5mBsKSeaWRNqmza+8lMaGrNBrBnL/dmP
gQLQJDF/aNEGt5rgr41Ckg28kYknxpXiStN7O+8tZYeEnPRaVd1aiSXvl0xijccZ
cpFm0oSlqMw2SQiujr8iunXHHDrF7yW9pQ5u5aIVxvBikzUakCz3WYdAy592hI3Q
J2+5a7ByR5YG0PxJXePaEKTBEgRLfEi+Q891J4I1L3t+ZWDA1x1l56AQJbzKT5xz
kgzJZ6VECdNwiECkjQ7EA/BJrirqRBnqypqtABEBAAHNM0ZlZGVyaWNvIFF1YXR0
cmluIDxmZWRlcmljby5xdWF0dHJpbkBjYW5vbmljYWwuY29tPsLAjgQTAQoAOBYh
BCscPcjoCqmp+/5PtnA6rZEEbNduBQJmFAsHAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHA6rZEEbNduFY0H/39060yxwRt8ctMAIc20msDGUjOJ23z4QkIC
SpocEnQdJAVNtG63ndlmiuNE+FPkRQniWbkd6nBeK302KuA8rD0C8xOknrtMwwiN
0vO69EtZZ3dUCkM6uB9YV/YZOsjhdL1DOkEGzwGbmNrpSNWQ24RwvjU7a19EtRvO
Ty4AhzouUxaEH6nyJsQ8GzbTva3QhKN6hypWUfeBed5rpdQmq+Rk79oy1YjQlLPo
IbuwXJXEBE94/+vuriGQEA8E4S6QrokrrEQWfdGmYFR6UqXQ1YpffoCCUFlUWyKU
H6bvGgdu8TKbacd8E5mvPKO+UWGIA4p5EwaRkdu/CXjoqsGhcPjOwE0EZhQLBwEI
ANSQiRO2jf6yMhHTTlyHM6z4siVyJ7YAgpc8pPxtzPtijr/K4lUWqr9+mj7FBF5F
YbwG6DPWmm1n6vG5JmhT3+57MxOR9Z4smqD0v+48F1UD+2M7LQjUWNA0Z/QmQapL
qdVn24qKl7ONiw79iykkg1e0Ruzju3Ri6lg6+ehakAYlNFqmTTVIDNcw6rTiVfMi
WcumRDBxg/giTERjzkh0R5lZN6buybitEqKNTKQm3UYkxzT6EDl13wmPU0L+PO2Z
RhgEAy6y2ubhnAnAJAlb+m2If04pjM1d3CILmilEew7t5j2pTzyDKdYpbjiEcz+Y
bVGfFzOinbeYezZUjci4BD0AEQEAAcLAdgQYAQoAIBYhBCscPcjoCqmp+/5PtnA6
rZEEbNduBQJmFAsHAhsMAAoJEHA6rZEEbNduWvMIAI16CZMlL78YVwl/jhV6npfX
0M1YMGJa/D5Fp+df02gXwQAhnAZM0fVDR3T+qNGFEYbLOWsAD6feERXaE9L7fH6G
i2j+GV82b461nXfl5MT22o5UlT9iq2GUM5rGrL8LIcbt6ypdGpcOmasC6W3FM/eg
iHx7O4VZYukGvtx+mdznFUusE3y7PIdFx8cUcCPuTHPTZXkQiFapEsF45BEmhOdx
5nUZEC+cDd3S1WRpYpSoAE7bNGhNiu6YiWUtrNSt7+Ri2qSA499uEJyNxVLzY8DU
d38osSWIfGAFJb8+chdhNOnJOUg0NYacyvcOIDsmzYpxP69fbbLgbonATayFcLk=
=SlBa
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEKxw9yOgKqan7/k+2cDqtkQRs124FAmYq1h8FAwAAAAAACgkQcDqtkQRs125i
swf/ajP+mFY9BmbXNTKXzPm/sb8a2Cbr6L3iMa6gUemK9rMIkm2xJMXAg47tVvvhDTvrOv8oLkNP
Ogbg/6ngNHe1XxFCHFmmrE9IiTR60W2ycHHanJ6H3XYSEhEFOge+XCikeMlYatw4pqNQDH2ja3n8
V2ibeM8pCAVS6kvqxN0KlOnqgTuK1nZvxCVwdkk2JSQIUHmAe+P11KRd9pAwIBB6I5t72zTvzfYA
b6qV/wRpBl8ol1gSJTCilNKr2u/MgjVU/eKsc3s6EaKMlrr1WdHjWRLB3U71Es+Cf9FzTUc3gQGe
/8jzl5wNjOgAnaUEf9JLROCNrP4Xul9qND5QBuN2fQ==
=2lm5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6753-1
April 25, 2024

cryptojs vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

CryptoJS could be made to expose sensitive information.

Software Description:
- cryptojs: collection of cryptographic algorithms implemented in JavaScript

Details:

Thomas Neil James Shadwell discovered that CryptoJS was using an insecure
cryptographic default configuration. A remote attacker could possibly use
this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-3ubuntu0.22.04.1~esm1

Ubuntu 20.04 LTS:
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.16.04.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6753-1
CVE-2023-46233

Package Information:
https://launchpad.net/ubuntu/+source/cryptojs/3.1.2+dfsg-2ubuntu0.20.04.1

[USN-6751-1] Zabbix vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEE26yozGlLvY8PLmS9C+du+fOjiEwFAmYqoUYFAwAAAAAACgkQC+du+fOjiExm
ugv9FIOPm6NpfSYGYm2PTfeArIWyB6S6YINleXYO7knqlUU2IWcHUHHu+riGrBr7BTSfxEL8sgim
gWEL97wxgVuPbS6bcdmqGZlitP+jMaJELdL3AgqzNEQVRgyWX7yCuJCg29eRh4JIUt2KAslic+uq
h56XgE92kChJIqms6H+hiXH4uZb0qj8ugema3FarTgeSA5sQ7avSbSH3q18ac3GObQpLI4aNySxK
yevJOrhRbr7uDP4OM8/Hrq8LV7h/StJR/hxaAx/TY/wxDVoPn39Hgh63KMj3UPcHNV/zSm/T3QHM
iO4Z2vF5ShkJ6wixdtcsjXGZkamicmSkcZwKOCCJcCNwAr8+BKR4Dd9bT4IueKsUUvQUsWkSf//K
/bHzXOBbB2shHAz5GbfKcE1231Ze0pdkisDwS/MW+T2bJ6TC6G5Dxhtml+pc+4wfpv8nbLTGrlJ6
cRENJQ81EogiS0vIimH9n3AqGHVcPMfy8cAH88MyyIdpLmVNGsUyZ8mw04EE
=B0nz
-----END PGP SIGNATURE-----

==========================================================================

Ubuntu Security Notice USN-6751-1

April 25, 2024

zabbix vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Zabbix could allow reflected cross-site scripting (XSS) attacks.

Software Description:
- zabbix: Open-source monitoring software tool for diverse IT components

Details:

It was discovered that Zabbix incorrectly handled input data in the
discovery and graphs pages. A remote authenticated attacker could possibly
use this issue to perform reflected cross-site scripting (XSS) attacks.
(CVE-2022-35229, CVE-2022-35230)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS (Available with Ubuntu Pro):
  zabbix-agent                    1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-frontend-php             1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-java-gateway             1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-proxy-mysql              1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-proxy-pgsql              1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-proxy-sqlite3            1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-server-mysql             1:4.0.17+dfsg-1ubuntu0.1~esm1
  zabbix-server-pgsql             1:4.0.17+dfsg-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  zabbix-agent                    1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-frontend-php             1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-java-gateway             1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-proxy-mysql              1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-proxy-pgsql              1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-proxy-sqlite3            1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-server-mysql             1:3.0.12+dfsg-1ubuntu0.1~esm3
  zabbix-server-pgsql             1:3.0.12+dfsg-1ubuntu0.1~esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  zabbix-agent                    1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-frontend-php             1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-java-gateway             1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-proxy-mysql              1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-proxy-pgsql              1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-proxy-sqlite3            1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-server-mysql             1:2.4.7+dfsg-2ubuntu2.1+esm3
  zabbix-server-pgsql             1:2.4.7+dfsg-2ubuntu2.1+esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
  zabbix-agent                    1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-frontend-php             1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-java-gateway             1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-proxy-mysql              1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-proxy-pgsql              1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-proxy-sqlite3            1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-server-mysql             1:2.2.2+dfsg-1ubuntu1+esm5
  zabbix-server-pgsql             1:2.2.2+dfsg-1ubuntu1+esm5

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6751-1
  CVE-2022-35229, CVE-2022-35230

[announce] Next NYC*BUG: May 1st

Demystify ZFS Replication With a Safe and Powerful Approach, by Daniel J. Bell
2024-05-01 @ 18:45 EDT (22:45 UTC) - NYU Tandon Engineering Building (new), 370 Jay St, 7th Floor kitchen area, Brooklyn (directly across Jay St from National Grid office). Closest subway exits in order are Jay St - MetroTech Station (A, C, R, & F Trains) Borough Hall (4 & 5 Trains).

Notice: You should RSVP for this meeting at rsvp AT lists.nycbug.org. You should receive an autoresponse email. Your email address is sufficient verification for entry.

ZFS is theoretically a powerhouse for data protection and performance, but only if you can dodge its many traps. I'll demonstrate the common ZFS pitfalls and their solutions, along with practical strategies to simplify and scale your backups. I'll also introduce Zelta, a toolkit of management scripts built on Unix fundamentals designed to help you master ZFS with finesse.


https://www.nycbug.org/index?action=view&id=10696


[USN-6752-1] FreeRDP vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmYqfnEACgkQZWnYVadE
vpPevA/6Aw7xFxaVv/iZ+aV0F8Sq7aNv6VM+XzlKN71xVQxtjlYG5ATTpLbm9uE/
5b2sIdpTNVkwLg7wB3V5ZMbJ0CC8R2yuGkYvG4N9YLNIpsZ7BQlodCMp/QBMQ/hD
pVepxMbiVqgCMxDh/AekfQXCqv88f0FgkAfz/xRqYnq4HQ+x8AuOHPQNGbNPP3X/
DAKUUv3H2jC+TG6I/Ef8fTJ+HSiPkgu8WcwZgVtFE96rB8P2h+Oq61IJQvGH2Ai0
FVyMGyYSGd1iUtDNsMjMeuh1TB54iybYp0XXFWfeVU+9roeSyw0VhG9nGhD+jiT7
reOh6SWEXPFFtF3ZH0UT6OJJC2BTJP2vkSrtyDbSBxaixdK5bZanBKwJN7vgQZvf
V9XhN5ra7UIO/Fke6rsmpCOqoDWdZGrDwzBhiUP5h24cauXnJmINdEEjN5YLY0Xp
JFNTqmoNmN7TIKReZdwKj/tus/LHdOPnhiBow2uzlWgS2gGbbymxmJUnx/TnVfOy
/73ONKb5mGEoMsThHPnxVlORMYdaTe8F4Hmad4tfKAonq4pItan79jiq3+2S2YMd
tu1PHbIeKaJ5Ut/W0OKIkQPUM15d3POGeCsHjKYSYdci8glLdwI8u0Q3o3/mwUEd
q1mYOCFE5DY8271a/zyVetjfHO9AD8xDfsS1ACWZuNP9TYDDgXo=
=WeOg
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6752-1
April 25, 2024

freerdp2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in FreeRDP.

Software Description:
- freerdp2: RDP client for Windows Terminal Services

Details:

It was discovered that FreeRDP incorrectly handled certain memory
operations. If a user were tricked into connecting to a malicious server, a
remote attacker could possibly use this issue to cause FreeRDP to crash,
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
libfreerdp2-2 2.10.0+dfsg1-1.1ubuntu1.3

Ubuntu 22.04 LTS:
libfreerdp2-2 2.6.1+dfsg1-3ubuntu2.7

Ubuntu 20.04 LTS:
libfreerdp2-2 2.6.1+dfsg1-0ubuntu0.20.04.2

After a standard system update you need to restart your session to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6752-1
CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661

Package Information:
https://launchpad.net/ubuntu/+source/freerdp2/2.10.0+dfsg1-1.1ubuntu1.3
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.7
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-0ubuntu0.20.04.2

Ubuntu 24.04 LTS (Noble Numbat) released

Ubuntu 24.04 LTS, codenamed "Noble Numbat", is here. This release continues
Ubuntu's proud tradition of integrating the latest and greatest open source
technologies into a high-quality, easy-to-use Linux distribution. The team
has been hard at work through this cycle, together with the community and
our partners, to introduce new features and fix bugs.

Our 10th Long Term Supported release sets a new standard in performance
engineering, enterprise security and developer experience.

Ubuntu Desktop brings the Subiquity installer to an LTS for the first time.
In addition to a refreshed user experience and a minimal install by default,
the installer now includes experimental support for ZFS and TPM-based full
disk encryption and the ability to import auto-install configurations. Post
install, users will be greeted with the latest GNOME 46 alongside a new App
Center and firmware-updater. Netplan is now the default for networking
configuration and supports bidirectionality with NetworkManager.

Ubuntu now enables frame pointers by default on 64-bit architectures to
enable CPU and off-CPU profiling for workload optimisation, alongside a
suite of critical performance tools pre-installed. The Linux 6.8 kernel now
enables low-latency features by default. For IoT vendors leveraging 32-bit
arm hardware, our armhf build has been updated to resolve the upcoming 2038
issue by implementing 64-bit time_t in all necessary packages.

As always, Ubuntu ships with the latest toolchain versions. .NET 8 is now
fully supported on Ubuntu 24.04 LTS (and Ubuntu 22.04 LTS) for the full
lifecycle of the release and OpenJDK 21 and 17 are both TCK certified to
adhere to Java interoperability standards. Ubuntu 24.04 LTS ships Rust 1.75
and a simpler Rust toolchain snap framework to enable future rust versions
to be delivered to developers on this release in years to come.

The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon,
Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu
are also being released today. More details can be found for these at
their individual release notes under the Official Flavours section:

https://discourse.ubuntu.com/t/noble-numbat-release-notes/

Maintenance updates will be provided for 5 years for Ubuntu Desktop,
Ubuntu Server, Ubuntu Cloud and Ubuntu Core. All the remaining flavours
will be supported for 3 years. Additional security support is available
with ESM (Extended Security Maintenance).

To get Ubuntu 24.04 LTS
-----------------------

In order to download Ubuntu 24.04 LTS, visit:

https://ubuntu.com/download

Users of Ubuntu 23.10 will soon be offered an automatic upgrade to 24.04.
Users of 22.04 LTS will be offered the automatic upgrade when 24.04.1
LTS is released, which is scheduled for the 15th of August.
For further information about upgrading, see:

https://ubuntu.com/download/desktop/upgrade

As always, upgrades to the latest version of Ubuntu are entirely free of
charge.

We recommend that all users read the release notes, which document
caveats and workarounds for known issues, and provide more in-depth
information on the release itself. They are available at:

https://discourse.ubuntu.com/t/noble-numbat-release-notes/

Find out what's new in this release with a graphical overview:

https://ubuntu.com/desktop
https://ubuntu.com/desktop/features

If you have a question, or if you think you may have found a bug but
aren't sure, you can try asking in any of the following places:

#ubuntu on irc.libera.chat
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
https://ubuntuforums.org
https://askubuntu.com
https://discourse.ubuntu.com


Help Shape Ubuntu
-----------------

If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:

https://discourse.ubuntu.com/contribute


About Ubuntu
------------

Ubuntu is a full-featured Linux distribution for desktops, laptops, IoT,
cloud, and servers, with a fast and easy installation and regular
releases. A tightly-integrated selection of excellent applications is
included, and an incredible variety of add-on software is just a few
clicks away.

Professional services including support are available from Canonical and
hundreds of other companies around the world. For more information about
support, visit:

https://ubuntu.com/support


More Information
----------------

You can learn more about Ubuntu and about this release on our website
listed below:

https://ubuntu.com

To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce


On behalf of the Ubuntu Release Team,
Utkarsh Gupta

--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

Wednesday, April 24, 2024

[USN-6750-1] Thunderbird vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6750-1
April 25, 2024

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852,
CVE-2024-3864)

Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)

Lukas Bernhard discovered that Thunderbird did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information. (CVE-2024-3854)

Lukas Bernhard discovered that Thunderbird did not properly manage memory
when handling JIT created code during garbage collection. An attacker
could potentially exploit this issue to cause a denial of service, or
execute arbitrary code. (CVE-2024-3857)

Ronald Crane discovered that Thunderbird did not properly manage memory in
the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-3859)

Ronald Crane discovered that Thunderbird did not properly manage memory
when handling an AlignedBuffer. An attacker could potentially exploit this
issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
thunderbird 1:115.10.1+build1-0ubuntu0.23.10.1

Ubuntu 22.04 LTS:
thunderbird 1:115.10.1+build1-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
thunderbird 1:115.10.1+build1-0ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6750-1
CVE-2024-2609, CVE-2024-3302, CVE-2024-3852, CVE-2024-3854,
CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.20.04.1

FreeBSD Errata Notice FreeBSD-EN-24:09.zfs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-24:09.zfs Errata Notice
The FreeBSD Project

Topic: High CPU usage by kernel threads related to ZFS

Category: contrib
Module: zfs
Announced: 2024-04-24
Affects: FreeBSD 13.3
Corrected: 2024-04-12 13:00:11 UTC (stable/13, 13-STABLE)
2024-04-24 20:21:10 UTC (releng/13.3, 13.3-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I. Background

ZFS is an advanced and scalable file system originally developed by Sun
Microsystems for its Solaris operating system. ZFS was integrated as part of
the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
and preferred choice for storage management.

II. Problem Description

Because ZFS may consume large amounts of RAM to cache various types of
filesystem objects, it continuously monitors system RAM available to decide
whether to shrink its caches. Some caches are shrunk using a dedicated
thread, to which work is dispatched asynchronously.

In some cases, the cache shrinking logic may dispatch excessive amounts of
work to the "ARC pruning" thread, causing it to continue attempting to shrink
caches even after resource shortages are resolved.

III. Impact

The bug manifests as a kernel thread, "arc_prune", consuming 100% of a CPU core
for indefinite periods, even while the system is otherwise idle. This behavior
also impacts workloads running on the system, by reducing available CPU
resources and by triggering lock contention in the kernel, in particular with
the "vnlru" process whose function is to recycle vnodes (structures representing
files, whether opened or cached), a mechanism frequently triggered by intensive
filesystem workloads.

IV. Workaround

No workaround is available. Systems not using ZFS are unaffected.

V. Solution

Upgrade your system to a supported FreeBSD stable or release / security branch
(releng) dated after the correction date. A reboot is required following the
upgrade.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13 and earlier, can be updated via
the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# reboot

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-24:09/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-24:09/zfs.patch.asc
# gpg --verify zfs.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ 330954bdb822 stable/13-n257698
releng/13.3/ 266b3bd3f26d releng/13.3-n257432
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

See problem reports
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274698> and
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275594>.

See also the previous, similar errata notice issued for FreeBSD 14.0:
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:18.openzfs.asc>.

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:09.zfs.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYpapQACgkQbljekB8A
Gu8gBxAAiuUNqeGaKNQ1XbV0kSucwnae5uOrQmthHQBY98PJJKUZpm1RTt/FnBB7
qPxEY5vFRcGgZ43GVlnmfmH/EmqOg6WPpsgKfdq1XTy/ERU815JOsD+wKUWa/9Ia
g67pnl8HPMSF5eZ1FreWfzNsWmxakiDLg2VXtFx7x3+qocifD/WwGvDTjdDBzzyK
+cIrBqvTlbOCRdHzl49wmNLz46ha5bmxTb7MzXB3jIQ1v+PZ71biyQxBZTrZgR6S
La8oVe4Kj2lJTJw5S2xvsoyo5PzqmPCyD1m22fzgKTyaAUCXiioUUQDuFTxu9rhW
I3lSvqdIRw28yRFjGslxlq9x1vShQTw3ILcH31ucxKUNow7hlDz4Ow2NzqXhSjxN
RMGamxLTA5BcNCR4/DexAjfeh6OKnCG7n0ntlhxI0LWGr4ceT3/ySck7xhCNCSm1
Ze/Gf9/j4+zR2jyauRANkITPkVHUV79/Sgjn1IlcMDLpzegH+QfQsX6CosG5uSWS
UlpK2hhCv2g3lE7XuBItz7E/8i5Nx9RZgnh047Nj3ZB/6dCauAeUYKnY5X3xJa5X
OKJWIGyJAyrCoFIg+LdBS47ggg8wswyyb1XBF2rZgZNqVmzZrJd7lBV/sjDaEC1H
13lHhIIwtpTagDAT1Nbji++IT+2DatjhLZnMQwvALno0tIE19mg=
=IgLQ
-----END PGP SIGNATURE-----

[USN-6743-3] Linux kernel (Azure) vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmYpjtIFAwAAAAAACgkQZ0GeRcM5nt2/
hAf+N/OAMi1nGXhmJY+E3BTnM63leJmw5AuhtO/6XSAiNKjjupsfhCYKbEFoTI3odhsP0nlJKkXA
kTW9iJEQoRz4Rx990+JaDwMUqtL92YacMVK1HRYZID19IhdQ05HhYVwhcQ0uHqnJVvukxgnevlAS
rS9EjzmytF6oAmi73Z3SSxa2NQ1wCeU/liHA3ZKxmMeOUYrsEPEg/aVWdGUVUpNKPfBZnEK6EY3E
Or5K3rOmkI1vu8DF8yDG51ot1mKNu8ZBAaUwLNKpOvxj9VgUMCsK/DssnOY6k1R6dG4fANvjLruA
hShcDhKttJu9jN8wwtXZhI5s9srVnWTK0Qc5wD79lg==
=RDQn
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6743-3
April 24, 2024

linux-azure-6.5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-azure-6.5: Linux kernel for Microsoft Azure cloud systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- JFS file system;
- BPF subsystem;
- Netfilter;
(CVE-2023-52600, CVE-2024-26589, CVE-2024-26591, CVE-2024-26581,
CVE-2023-52603)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-6.5.0-1019-azure 6.5.0-1019.20~22.04.1
linux-image-6.5.0-1019-azure-fde 6.5.0-1019.20~22.04.1
linux-image-azure 6.5.0.1019.20~22.04.1
linux-image-azure-fde 6.5.0.1019.20~22.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6743-3
https://ubuntu.com/security/notices/USN-6743-1
CVE-2023-52600, CVE-2023-52603, CVE-2024-26581, CVE-2024-26589,
CVE-2024-26591

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1019.20~22.04.1