==========================================================================
Ubuntu Security Notice USN-5439-1
May 24, 2022
accountsservice vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
AccountsService could be made to crash or stop responding.
Software Description:
- accountsservice: query and manipulate user account information
Details:
Gunnar Hjalmarsson discovered that AccountsService incorrectly dropped
privileges. A local user could possibly use this issue to cause
AccountsService to crash or stop responding, resulting in a denial of
service. (CVE-2022-1804)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
accountsservice 22.07.5-2ubuntu1.3
libaccountsservice0 22.07.5-2ubuntu1.3
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5439-1
CVE-2022-1804
Package Information:
https://launchpad.net/ubuntu/+source/accountsservice/22.07.5-2ubuntu1.3
Tuesday, May 24, 2022
[USN-5440-1] PostgreSQL vulnerability
==========================================================================
Ubuntu Security Notice USN-5440-1
May 24, 2022
postgresql-10, postgresql-12, postgresql-13, postgresql-14 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
PostgreSQL could be made to execute commands as the superuser.
Software Description:
- postgresql-14: Object-relational SQL database
- postgresql-13: Object-relational SQL database
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
Details:
Alexander Lakhin discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox when a privileged user is maintaining
another user's objects. An attacker having permission to create non-temp
objects can use this issue to execute arbitrary commands as the superuser.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
postgresql-14 14.3-0ubuntu0.22.04.1
Ubuntu 21.10:
postgresql-13 13.7-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
postgresql-12 12.11-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.21-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5440-1
CVE-2022-1552
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-14/14.3-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-13/13.7-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.11-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.21-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5440-1
May 24, 2022
postgresql-10, postgresql-12, postgresql-13, postgresql-14 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
PostgreSQL could be made to execute commands as the superuser.
Software Description:
- postgresql-14: Object-relational SQL database
- postgresql-13: Object-relational SQL database
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
Details:
Alexander Lakhin discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox when a privileged user is maintaining
another user's objects. An attacker having permission to create non-temp
objects can use this issue to execute arbitrary commands as the superuser.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
postgresql-14 14.3-0ubuntu0.22.04.1
Ubuntu 21.10:
postgresql-13 13.7-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
postgresql-12 12.11-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.21-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5440-1
CVE-2022-1552
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-14/14.3-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-13/13.7-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.11-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.21-0ubuntu0.18.04.1
Monday, May 23, 2022
[USN-5438-1] HTMLDOC vulnerability
==========================================================================
Ubuntu Security Notice USN-5438-1
May 23, 2022
htmldoc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
HTMLDOC could be made to crash or run programs if it received specially
crafted HTML files.
Software Description:
- htmldoc: HTML processor that generates indexed HTML, PS, and PDF
Details:
It was discovered that HTMLDOC did not properly manage memory under certain
circumstances. If a user were tricked into opening a specially crafted HTML
file, a remote attacker could possibly use this issue to cause HTMLDOC to
crash, resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
htmldoc 1.9.7-1ubuntu0.3
htmldoc-common 1.9.7-1ubuntu0.3
Ubuntu 18.04 LTS:
htmldoc 1.9.2-1ubuntu0.2
htmldoc-common 1.9.2-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5438-1
CVE-2021-23165
Package Information:
https://launchpad.net/ubuntu/+source/htmldoc/1.9.7-1ubuntu0.3
https://launchpad.net/ubuntu/+source/htmldoc/1.9.2-1ubuntu0.2
Ubuntu Security Notice USN-5438-1
May 23, 2022
htmldoc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
HTMLDOC could be made to crash or run programs if it received specially
crafted HTML files.
Software Description:
- htmldoc: HTML processor that generates indexed HTML, PS, and PDF
Details:
It was discovered that HTMLDOC did not properly manage memory under certain
circumstances. If a user were tricked into opening a specially crafted HTML
file, a remote attacker could possibly use this issue to cause HTMLDOC to
crash, resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
htmldoc 1.9.7-1ubuntu0.3
htmldoc-common 1.9.7-1ubuntu0.3
Ubuntu 18.04 LTS:
htmldoc 1.9.2-1ubuntu0.2
htmldoc-common 1.9.2-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5438-1
CVE-2021-23165
Package Information:
https://launchpad.net/ubuntu/+source/htmldoc/1.9.7-1ubuntu0.3
https://launchpad.net/ubuntu/+source/htmldoc/1.9.2-1ubuntu0.2
[USN-5437-1] libXfixes vulnerability
==========================================================================
Ubuntu Security Notice USN-5437-1
May 23, 2022
libxfixes vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
libXfixes could be made to crash or run programs if it received specially
crafted input.
Software Description:
- libxfixes: X11 miscellaneous fixes extension library
Details:
Tobias Stoeckmann discovered that libXfixes incorrectly handled certain
inputs. An attacker could possibly use this issue to cause a denial
of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libxfixes3 1:5.0.1-2ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5437-1
CVE-2016-7944
Ubuntu Security Notice USN-5437-1
May 23, 2022
libxfixes vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
libXfixes could be made to crash or run programs if it received specially
crafted input.
Software Description:
- libxfixes: X11 miscellaneous fixes extension library
Details:
Tobias Stoeckmann discovered that libXfixes incorrectly handled certain
inputs. An attacker could possibly use this issue to cause a denial
of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libxfixes3 1:5.0.1-2ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5437-1
CVE-2016-7944
[USN-5436-1] libXrender vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5436-1
May 23, 2022
libxrender vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in libXrender.
Software Description:
- libxrender: X11 Rendering Extension client library
Details:
Tobias Stoeckmann discovered that libXrender incorrectly handled certain
responses. An attacker could possibly use this issue to cause a denial
of service, or possibly execute arbitrary code.
(CVE-2016-7949, CVE-2016-7950)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libxrender1 1:0.9.9-0ubuntu1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5436-1
CVE-2016-7949, CVE-2016-7950
Ubuntu Security Notice USN-5436-1
May 23, 2022
libxrender vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in libXrender.
Software Description:
- libxrender: X11 Rendering Extension client library
Details:
Tobias Stoeckmann discovered that libXrender incorrectly handled certain
responses. An attacker could possibly use this issue to cause a denial
of service, or possibly execute arbitrary code.
(CVE-2016-7949, CVE-2016-7950)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libxrender1 1:0.9.9-0ubuntu1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5436-1
CVE-2016-7949, CVE-2016-7950
OpenIKED 7.1 released
We have released OpenIKED 7.1, which will be arriving in the
OpenIKED directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Added 'ikectl show certinfo' command to print loaded CAs and certificates
* Improved IKEv2 Message Fragmentation with more reliable retransmission logic
* Take "Destination ID" payload into consideration when matching policy for
incoming handshake to allow finer control over flow configuration
* Changed the "proto" config field to optionally accept a list of protocols
* Added support for using AppArmor to limit process privileges on Linux.
* Hardened default build flags
* Fixed a bug where authentication via local certificates did not work
as intended
* Fixed handshake proposal matching bug
* Fixed a bug where alive timer was not reset on config reloading
* Fixed a bug where iked sent zero-prefixed NAT-T messages on port 500
causing parsing errors.
* Fixed several memory leaks
* Added a new portable regression test
OpenIKED is known to compile and run on FreeBSD, NetBSD, macOS
and the Linux distributions Arch, Debian, Fedora and Ubuntu.
It is our hope that packagers take interest and help adapt
OpenIKED to more distributions.
OpenIKED can be downloaded from any of the mirrors listed at
https://www.openbsd.org/ftp.html, from the /pub/OpenBSD/OpenIKED
directory.
General bugs may be reported to bugs@openbsd.org. Portable bugs
may be filed at https://github.com/openiked/openiked-portable.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
OpenIKED directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Added 'ikectl show certinfo' command to print loaded CAs and certificates
* Improved IKEv2 Message Fragmentation with more reliable retransmission logic
* Take "Destination ID" payload into consideration when matching policy for
incoming handshake to allow finer control over flow configuration
* Changed the "proto" config field to optionally accept a list of protocols
* Added support for using AppArmor to limit process privileges on Linux.
* Hardened default build flags
* Fixed a bug where authentication via local certificates did not work
as intended
* Fixed handshake proposal matching bug
* Fixed a bug where alive timer was not reset on config reloading
* Fixed a bug where iked sent zero-prefixed NAT-T messages on port 500
causing parsing errors.
* Fixed several memory leaks
* Added a new portable regression test
OpenIKED is known to compile and run on FreeBSD, NetBSD, macOS
and the Linux distributions Arch, Debian, Fedora and Ubuntu.
It is our hope that packagers take interest and help adapt
OpenIKED to more distributions.
OpenIKED can be downloaded from any of the mirrors listed at
https://www.openbsd.org/ftp.html, from the /pub/OpenBSD/OpenIKED
directory.
General bugs may be reported to bugs@openbsd.org. Portable bugs
may be filed at https://github.com/openiked/openiked-portable.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
F37 proposal: Enhance Persian Font Support (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/EnhancePersianFontSupport
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
= Enhance Persian Font Support =
{{Change_Proposal_Banner}}
== Summary ==
This change aims to provide a consistent experience for those who use
Fedora in Persian or write or read Persian text in Fedora.
== Owner ==
* Name: [[User:hedayat| Hedayat Vatankhah]]
* Email: <hedayat@fedoraproject.org>
== Detailed Description ==
Traditionally, DejaVu fonts were used for Persian text in Fedora
consistently; and considering the lack of suitable free Persian fonts,
it was an acceptable choice (although some considered it to not be
beautiful enough).
With changes in Fedora fonts in recent releases (mainly, addition of
Droid & Noto fonts to default installation), Fedora provides an
inconsistent experience for users who use Persian text and makes a bad
impression on users. There are at least three different fonts used in
a default Fedora Workstation for Sans Persian text in different
situations, one of which is actually considered a cursive font for
Persian.
Additionally, now we have a number of free Persian fonts, which can be
used to present a more beautiful experience for Persian text. This
change aims to:
# Provide a consistent default Sans font for Persian in Fedora, used
in all appropriate places instead of multiple different fonts. Right
now, the aim is to use Vazirmatn font as the default Persian font.
# Add new free Persian fonts to Fedora to provide a better experience
for users who need them.
== Benefit to Fedora ==
Enhances the experience of users of Persian text in Fedora, by
providing a beautiful font to be used by default consistently and to
provide modern free Persian fonts for users.
== Scope ==
* Proposal owners:
# Package new free Persian fonts for Fedora
# Make the selected font the default one for Persian
# Try to find out why Firefox/Thunderbird doesn't follow system
default font (optional)
# Update Fedora `comps.xml` to install the default font for Persian
# Provide PR for langpacks/lorax if needed for the new default Persian font
# Might need some fixes in Firefox/Thunderbird to follow system
default font when it is selected
# Might need changes in langpacks/lorax
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Default Persian font will be changed automatically on upgrades.
== How To Test ==
== User Experience ==
Users who read/write Persian text in Fedora are presented with a new
more beautiful font used by default consistently in all applications.
== Dependencies ==
No hard dependencies, but an optional change might be needed in some
packages (Firefox/Thunderbird) to provide a more consistent
experience.
== Contingency Plan ==
* Contingency mechanism: We won't ship new fonts and we won't change
the default font.
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
== Documentation ==
More detailed background on the topic is provided in this
[https://lists.fedoraproject.org/archives/list/fonts@lists.fedoraproject.org/thread/5FOJGD2P6BTKH5GUSXBEQPS4JR2FVQYM/
email].
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
= Enhance Persian Font Support =
{{Change_Proposal_Banner}}
== Summary ==
This change aims to provide a consistent experience for those who use
Fedora in Persian or write or read Persian text in Fedora.
== Owner ==
* Name: [[User:hedayat| Hedayat Vatankhah]]
* Email: <hedayat@fedoraproject.org>
== Detailed Description ==
Traditionally, DejaVu fonts were used for Persian text in Fedora
consistently; and considering the lack of suitable free Persian fonts,
it was an acceptable choice (although some considered it to not be
beautiful enough).
With changes in Fedora fonts in recent releases (mainly, addition of
Droid & Noto fonts to default installation), Fedora provides an
inconsistent experience for users who use Persian text and makes a bad
impression on users. There are at least three different fonts used in
a default Fedora Workstation for Sans Persian text in different
situations, one of which is actually considered a cursive font for
Persian.
Additionally, now we have a number of free Persian fonts, which can be
used to present a more beautiful experience for Persian text. This
change aims to:
# Provide a consistent default Sans font for Persian in Fedora, used
in all appropriate places instead of multiple different fonts. Right
now, the aim is to use Vazirmatn font as the default Persian font.
# Add new free Persian fonts to Fedora to provide a better experience
for users who need them.
== Benefit to Fedora ==
Enhances the experience of users of Persian text in Fedora, by
providing a beautiful font to be used by default consistently and to
provide modern free Persian fonts for users.
== Scope ==
* Proposal owners:
# Package new free Persian fonts for Fedora
# Make the selected font the default one for Persian
# Try to find out why Firefox/Thunderbird doesn't follow system
default font (optional)
# Update Fedora `comps.xml` to install the default font for Persian
# Provide PR for langpacks/lorax if needed for the new default Persian font
# Might need some fixes in Firefox/Thunderbird to follow system
default font when it is selected
# Might need changes in langpacks/lorax
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Default Persian font will be changed automatically on upgrades.
== How To Test ==
== User Experience ==
Users who read/write Persian text in Fedora are presented with a new
more beautiful font used by default consistently in all applications.
== Dependencies ==
No hard dependencies, but an optional change might be needed in some
packages (Firefox/Thunderbird) to provide a more consistent
experience.
== Contingency Plan ==
* Contingency mechanism: We won't ship new fonts and we won't change
the default font.
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
== Documentation ==
More detailed background on the topic is provided in this
[https://lists.fedoraproject.org/archives/list/fonts@lists.fedoraproject.org/thread/5FOJGD2P6BTKH5GUSXBEQPS4JR2FVQYM/
email].
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5435-1] Thunderbird vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5435-1
May 23, 2022
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
bypass permission prompts, obtain sensitive information, bypass security
restrictions, cause user confusion, or execute arbitrary code.
(CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913,
CVE-2022-29914, CVE-2022-29916, CVE-2022-29917)
It was discovered that Thunderbird would show the wrong security status
after viewing an attached message that is signed or encrypted. An attacker
could potentially exploit this by tricking the user into trusting the
authenticity of a message. (CVE-2022-1520)
It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website
in a browsing context, an attacker could exploit this to execute
JavaScript in a privileged context. (CVE-2022-1529, CVE-2022-1802)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.22.04.1
Ubuntu 21.10:
thunderbird 1:91.9.1+build1-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5435-1
CVE-2022-1520, CVE-2022-1529, CVE-2022-1802, CVE-2022-19916,
CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913,
CVE-2022-29914, CVE-2022-29917
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5435-1
May 23, 2022
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
bypass permission prompts, obtain sensitive information, bypass security
restrictions, cause user confusion, or execute arbitrary code.
(CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913,
CVE-2022-29914, CVE-2022-29916, CVE-2022-29917)
It was discovered that Thunderbird would show the wrong security status
after viewing an attached message that is signed or encrypted. An attacker
could potentially exploit this by tricking the user into trusting the
authenticity of a message. (CVE-2022-1520)
It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website
in a browsing context, an attacker could exploit this to execute
JavaScript in a privileged context. (CVE-2022-1529, CVE-2022-1802)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.22.04.1
Ubuntu 21.10:
thunderbird 1:91.9.1+build1-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
thunderbird 1:91.9.1+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5435-1
CVE-2022-1520, CVE-2022-1529, CVE-2022-1802, CVE-2022-19916,
CVE-2022-29909, CVE-2022-29911, CVE-2022-29912, CVE-2022-29913,
CVE-2022-29914, CVE-2022-29917
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.9.1+build1-0ubuntu0.18.04.1
[USN-5434-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5434-1
May 23, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to execute JavaScript in a privileged context if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website,
an attacker could exploit this to execute JavaScript in a privileged
context.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.10:
firefox 100.0.2+build1-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
firefox 100.0.2+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 100.0.2+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5434-1
CVE-2022-1529, CVE-2022-1802
Package Information:
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5434-1
May 23, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to execute JavaScript in a privileged context if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
It was discovered that the methods of an Array object could be corrupted
as a result of prototype pollution by sending a message to the parent
process. If a user were tricked into opening a specially crafted website,
an attacker could exploit this to execute JavaScript in a privileged
context.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.10:
firefox 100.0.2+build1-0ubuntu0.21.10.1
Ubuntu 20.04 LTS:
firefox 100.0.2+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 100.0.2+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5434-1
CVE-2022-1529, CVE-2022-1802
Package Information:
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/100.0.2+build1-0ubuntu0.18.04.1
[USN-5433-1] Vim vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5433-1
May 23, 2022
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled parsing of filenames in its
search functionality. If a user were tricked into opening a specially
crafted
file, an attacker could crash the application, leading to a denial of
service. (CVE-2021-3973)
It was discovered that Vim incorrectly handled memory when opening and
searching the contents of certain files. If a user were tricked into opening
a specially crafted file, an attacker could crash the application,
leading to
a denial of service, or possibly achieve code execution with user
privileges.
(CVE-2021-3974)
It was discovered that Vim incorrectly handled memory when opening and
editing certain files. If a user were tricked into opening a specially
crafted file,
an attacker could crash the application, leading to a denial of service, or
possibly achieve code execution with user privileges. (CVE-2021-3984,
CVE-2021-4019, CVE-2021-4069)
It was discovered that Vim was using freed memory when dealing with regular
expressions inside a visual selection. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading
to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2021-4192)
It was discovered that Vim was incorrectly performing read and write
operations when in visual block mode, going beyond the end of a line and
causing a heap buffer overflow. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading
to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2022-0261, CVE-2022-0318)
It was discovered that Vim was using freed memory when dealing with regular
expressions through its old regular expression engine. If a user were
tricked
into opening a specially crafted file, an attacker could crash the
application,
leading to a denial of service, or possibly achieve code execution with user
privileges. (CVE-2022-1154)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5433-1
CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019,
CVE-2021-4069, CVE-2021-4192, CVE-2022-0261, CVE-2022-0318,
CVE-2022-1154
Ubuntu Security Notice USN-5433-1
May 23, 2022
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled parsing of filenames in its
search functionality. If a user were tricked into opening a specially
crafted
file, an attacker could crash the application, leading to a denial of
service. (CVE-2021-3973)
It was discovered that Vim incorrectly handled memory when opening and
searching the contents of certain files. If a user were tricked into opening
a specially crafted file, an attacker could crash the application,
leading to
a denial of service, or possibly achieve code execution with user
privileges.
(CVE-2021-3974)
It was discovered that Vim incorrectly handled memory when opening and
editing certain files. If a user were tricked into opening a specially
crafted file,
an attacker could crash the application, leading to a denial of service, or
possibly achieve code execution with user privileges. (CVE-2021-3984,
CVE-2021-4019, CVE-2021-4069)
It was discovered that Vim was using freed memory when dealing with regular
expressions inside a visual selection. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading
to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2021-4192)
It was discovered that Vim was incorrectly performing read and write
operations when in visual block mode, going beyond the end of a line and
causing a heap buffer overflow. If a user were tricked into opening a
specially crafted file, an attacker could crash the application, leading
to a
denial of service, or possibly achieve code execution with user privileges.
(CVE-2022-0261, CVE-2022-0318)
It was discovered that Vim was using freed memory when dealing with regular
expressions through its old regular expression engine. If a user were
tricked
into opening a specially crafted file, an attacker could crash the
application,
leading to a denial of service, or possibly achieve code execution with user
privileges. (CVE-2022-1154)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5433-1
CVE-2021-3973, CVE-2021-3974, CVE-2021-3984, CVE-2021-4019,
CVE-2021-4069, CVE-2021-4192, CVE-2022-0261, CVE-2022-0318,
CVE-2022-1154
[USN-5432-1] libpng vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5432-1
May 23, 2022
libpng vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in libpng.
Software Description:
- libpng: PNG (Portable Network Graphics) file library
Details:
It was discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2017-12652)
Zhengxiong Luo discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2018-14048)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libpng12-0 1.2.54-1ubuntu1.1+esm1
libpng12-dev 1.2.54-1ubuntu1.1+esm1
libpng3 1.2.54-1ubuntu1.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5432-1
CVE-2017-12652, CVE-2018-14048
Ubuntu Security Notice USN-5432-1
May 23, 2022
libpng vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in libpng.
Software Description:
- libpng: PNG (Portable Network Graphics) file library
Details:
It was discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2017-12652)
Zhengxiong Luo discovered that libpng incorrectly handled memory when parsing
certain PNG files. If a user or automated system were tricked into opening
a specially crafted PNG file, an attacker could use this issue to cause
libpng to crash, resulting in a denial of service, or possible execute
arbitrary code. (CVE-2018-14048)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libpng12-0 1.2.54-1ubuntu1.1+esm1
libpng12-dev 1.2.54-1ubuntu1.1+esm1
libpng3 1.2.54-1ubuntu1.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5432-1
CVE-2017-12652, CVE-2018-14048
Friday, May 20, 2022
Invitation to ALP Community Work Group (doodle for meeting slot)
Hello openSUSE!
now when Leap 15.4 RC and Leap Micro 5.2 GA announcements are settled
let's go now for something completely different.
I'd like to invite you to a newly formed Community Work Group (or CWG)
around the new *Adaptable Linux Platform
https://en.opensuse.org/openSUSE:ALP/Workgroups/Community
We'll initially focus on transparency during ALP planning, prototyping,
and related public communication, opensuse infra readiness . There are
topics where we can already start working right now. The first desktop
*workshop has shown us that we need to focus on areas such as single
place for documentation, our "signature" look and feel, brand
recognition, event calendar, etc.
We will to turn feedback from the workshop into action items and ensure
we have WG members working on them.
We have a big opportunity in this regard since unlike SLES 15 , ALP is
going to (and already being *prototyped) be built in OBS by default.
If you're interested then please tell us which one of existing weekly
community weekly slots (Tuesday/Thursday) should be used for regular
CWG meetups https://doodle.com/meeting/organize/id/b68562Ve
[0]https://lists.opensuse.org/archives/list/project@lists.opensuse.org/thread/N6TTE7ZBY7GFJ27XSDTXRF3MVLF6HW4W/
[1]https://en.opensuse.org/openSUSE:ALP/Workgroups/Community/Workshops/LeapDesktop
[2]https://build.opensuse.org/project/show/devel:LEO
now when Leap 15.4 RC and Leap Micro 5.2 GA announcements are settled
let's go now for something completely different.
I'd like to invite you to a newly formed Community Work Group (or CWG)
around the new *Adaptable Linux Platform
https://en.opensuse.org/openSUSE:ALP/Workgroups/Community
We'll initially focus on transparency during ALP planning, prototyping,
and related public communication, opensuse infra readiness . There are
topics where we can already start working right now. The first desktop
*workshop has shown us that we need to focus on areas such as single
place for documentation, our "signature" look and feel, brand
recognition, event calendar, etc.
We will to turn feedback from the workshop into action items and ensure
we have WG members working on them.
We have a big opportunity in this regard since unlike SLES 15 , ALP is
going to (and already being *prototyped) be built in OBS by default.
If you're interested then please tell us which one of existing weekly
community weekly slots (Tuesday/Thursday) should be used for regular
CWG meetups https://doodle.com/meeting/organize/id/b68562Ve
[0]https://lists.opensuse.org/archives/list/project@lists.opensuse.org/thread/N6TTE7ZBY7GFJ27XSDTXRF3MVLF6HW4W/
[1]https://en.opensuse.org/openSUSE:ALP/Workgroups/Community/Workshops/LeapDesktop
[2]https://build.opensuse.org/project/show/devel:LEO
Subscribe to:
Posts (Atom)