Reminder - the Fedora Linux 41 Final Go/No-Go meeting will take place tomorrow, Thursday 24th October on #fedora-meeting @ 1700 UTC. You can find more details on the Fedocal calendar[1]. At this time we will determine the status of F41 Final for the 29th October early target date[2].
Wednesday, October 23, 2024
[USN-7082-1] libheif vulnerability
-----BEGIN PGP SIGNATURE-----
wnsEABYIACMWIQSyA9nA4R5iZYAVzFrgLM9xllPy5AUCZxi3eQUDAAAAAAAKCRDgLM9xllPy5LT6
AQCTQ6I3o83qK/Cq3IK0QXiXk2FEE+53rzXOUeKLW3lHwQD/b033+xBGpRx40UT1jwQ7myVilyZi
qQSC0rAH12v4ZgY=
=59Me
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7082-1
October 23, 2024
libheif vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
libheif could be made to crash or read sensitive data if it opened a
specially crafted file
Software Description:
- libheif: an ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and
encoder
Details:
Gerrard Tai discovered that libheif did not properly validate certain
images, leading to out-of-bounds read and write vulnerability. If a user
or automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service or to
obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libheif1 1.17.6-1ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7082-1
CVE-2024-41311
Package Information:
https://launchpad.net/ubuntu/+source/libheif/1.17.6-1ubuntu4.1
wnsEABYIACMWIQSyA9nA4R5iZYAVzFrgLM9xllPy5AUCZxi3eQUDAAAAAAAKCRDgLM9xllPy5LT6
AQCTQ6I3o83qK/Cq3IK0QXiXk2FEE+53rzXOUeKLW3lHwQD/b033+xBGpRx40UT1jwQ7myVilyZi
qQSC0rAH12v4ZgY=
=59Me
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7082-1
October 23, 2024
libheif vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
libheif could be made to crash or read sensitive data if it opened a
specially crafted file
Software Description:
- libheif: an ISO/IEC 23008-12:2017 HEIF and AVIF file format decoder and
encoder
Details:
Gerrard Tai discovered that libheif did not properly validate certain
images, leading to out-of-bounds read and write vulnerability. If a user
or automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service or to
obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libheif1 1.17.6-1ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7082-1
CVE-2024-41311
Package Information:
https://launchpad.net/ubuntu/+source/libheif/1.17.6-1ubuntu4.1
[USN-7081-1] Go vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmcYo7UFAwAAAAAACgkQWNrRIKaTkWcr
fw//Z5snfslznit7fSmMgQs0n+geP940tw/UCobkJjxECSbJzLxQ6FPbmFZYWrxx9zKFAJyej+VV
JH02D3FaENMearg2bMukSA08aaNto3xF2MOGymxXhdPqsG8cSoPhgjVi4KRW/pTVBZq4f/bL4bBW
wQfH7Zge2/7asp3wTxLhPxxG3ptQKWYMTs7Bgetv0RhAVe750l5E5ylRAO/vt26vvngp40s3RwPW
YHXQWW8SbUx07Q+L++Cl/orLSUPqoah40FxG3PJdjlX0vgT/0Q5GU3dQ6Xfpat2g6EDHWIDRCh3n
dE5u/cAPebRkfLH7xdediLP9MmQKsVkrurQ/54sIBYJ1y9YRelFHW34TUrf/p226k8vLXFlppd89
PTwIpmuquv7Cidmn0y/pM7f3JvFVzG1gCU8ETLGzEVYRD3hoe+e/VV74kV+f+pnpQxkqJ6IV61dN
MUtcKXgqzMosfQ3DmoVCoM4S/MRAwBk5XzrRSvtcILqLDBgFycP+dTn+cHd7YuMM2Y2vwdeqjNaI
ak4j1QwHrJkCmwO28iEfaQovLLdC39R4JbToIRuQw45WarbCtWtGrEV5nypiDyG49kYVZwp8dmA6
ZSISC1IIaGokVQxnK3rOMD6wNeyey+Ng3AhseOKmZWyVANJ0qS9AKDnBGXJfczqISXC36NQskaxR
cbA=
=frZa
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7081-1
October 23, 2024
golang-1.22 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Go.
Software Description:
- golang-1.22: Go programming language compiler
Details:
It was discovered that the Go net/http module did not properly handle
responses to requests with an "Expect: 100-continue" header under certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2024-24791)
It was discovered that the Go parser module did not properly handle deeply
nested literal values. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2024-34155)
It was discovered that the Go encoding/gob module did not properly handle
message decoding under certain circumstances. An attacker could possibly
use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34156)
It was discovered that the Go build module did not properly handle certain
build tag lines with deeply nested expressions. An attacker could possibly
use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34158)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
golang-1.22 1.22.2-2ubuntu0.3
golang-1.22-go 1.22.2-2ubuntu0.3
golang-1.22-src 1.22.2-2ubuntu0.3
Ubuntu 22.04 LTS
golang-1.22 1.22.2-2~22.04.2
golang-1.22-go 1.22.2-2~22.04.2
golang-1.22-src 1.22.2-2~22.04.2
Ubuntu 20.04 LTS
golang-1.22 1.22.2-2~20.04.2
golang-1.22-go 1.22.2-2~20.04.2
golang-1.22-src 1.22.2-2~20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7081-1
CVE-2024-24791, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
Package Information:
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2ubuntu0.3
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2~22.04.2
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2~20.04.2
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmcYo7UFAwAAAAAACgkQWNrRIKaTkWcr
fw//Z5snfslznit7fSmMgQs0n+geP940tw/UCobkJjxECSbJzLxQ6FPbmFZYWrxx9zKFAJyej+VV
JH02D3FaENMearg2bMukSA08aaNto3xF2MOGymxXhdPqsG8cSoPhgjVi4KRW/pTVBZq4f/bL4bBW
wQfH7Zge2/7asp3wTxLhPxxG3ptQKWYMTs7Bgetv0RhAVe750l5E5ylRAO/vt26vvngp40s3RwPW
YHXQWW8SbUx07Q+L++Cl/orLSUPqoah40FxG3PJdjlX0vgT/0Q5GU3dQ6Xfpat2g6EDHWIDRCh3n
dE5u/cAPebRkfLH7xdediLP9MmQKsVkrurQ/54sIBYJ1y9YRelFHW34TUrf/p226k8vLXFlppd89
PTwIpmuquv7Cidmn0y/pM7f3JvFVzG1gCU8ETLGzEVYRD3hoe+e/VV74kV+f+pnpQxkqJ6IV61dN
MUtcKXgqzMosfQ3DmoVCoM4S/MRAwBk5XzrRSvtcILqLDBgFycP+dTn+cHd7YuMM2Y2vwdeqjNaI
ak4j1QwHrJkCmwO28iEfaQovLLdC39R4JbToIRuQw45WarbCtWtGrEV5nypiDyG49kYVZwp8dmA6
ZSISC1IIaGokVQxnK3rOMD6wNeyey+Ng3AhseOKmZWyVANJ0qS9AKDnBGXJfczqISXC36NQskaxR
cbA=
=frZa
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7081-1
October 23, 2024
golang-1.22 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Go.
Software Description:
- golang-1.22: Go programming language compiler
Details:
It was discovered that the Go net/http module did not properly handle
responses to requests with an "Expect: 100-continue" header under certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2024-24791)
It was discovered that the Go parser module did not properly handle deeply
nested literal values. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2024-34155)
It was discovered that the Go encoding/gob module did not properly handle
message decoding under certain circumstances. An attacker could possibly
use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34156)
It was discovered that the Go build module did not properly handle certain
build tag lines with deeply nested expressions. An attacker could possibly
use this issue to cause a panic resulting in a denial of service.
(CVE-2024-34158)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
golang-1.22 1.22.2-2ubuntu0.3
golang-1.22-go 1.22.2-2ubuntu0.3
golang-1.22-src 1.22.2-2ubuntu0.3
Ubuntu 22.04 LTS
golang-1.22 1.22.2-2~22.04.2
golang-1.22-go 1.22.2-2~22.04.2
golang-1.22-src 1.22.2-2~22.04.2
Ubuntu 20.04 LTS
golang-1.22 1.22.2-2~20.04.2
golang-1.22-go 1.22.2-2~20.04.2
golang-1.22-src 1.22.2-2~20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7081-1
CVE-2024-24791, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158
Package Information:
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2ubuntu0.3
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2~22.04.2
https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2~20.04.2
Tuesday, October 22, 2024
[USN-7079-1] WebKitGTK vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcX0CcACgkQZWnYVadE
vpNaPxAAjkShVjc4aMLPVPjQhD0u1hTX6JBIM42pmiP5dciPyezjtgRphDCXAGt1
xY4Sg0aLhSiy91mWxJ7KLfhmm+1yXQ2zSUSbmGYTFRtls7h9TOm4TUWj4jCpW2/9
q3tB4Y7ovLpYmHtxI2QghDU6lmpFVkhSMI6LZ2IV1LNinYfkA9PZVMlBo+WNgrBK
GDwNG5ai03nlah/HVbchEXX2ypZV+4E7MF/8oYsbM6nMRtxGHTiEtbjZOnhE58SI
SZ7ffytGqdQCcySUxS8ddxVUSHsX0LHGbZbr0ECoppjPHwR7FLFoWeJOmZsnmXfR
jG4LyZiTF5EBzVOFDZwvTWUfdw9RR4cGKXGislCVb9ZUPDolgEE3Dwoei+2Jrq6C
HULJBvEcFCg6lo/7zMYSGv/WJ1/QdsyOuteCRHlIl3XLA1Jq40F154A1jBqCPvqy
I0QquKxhhdvLvtv2ZJJpkIYlpWe8Ckw7RnMK0HRga/h7OMZfLAAeNt7/XvZJ0ASF
WPbugMatWGyYPaHybbpWwC5SCvTximQvwCzluKxfHifHXYN8NuAelnFwwqD2ebdQ
pzZyXqRiekPcz0fh5xqSoFtrU0m6ZNuVuBIV3S/o1I5Tc9grtxQ/LhwYwp4w1JtQ
7KiuEct9TZwAaMu9e8N7XBeC+X9U8WhgRTMcSqDO2mV9px39e0Q=
=kCqT
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7079-1
October 22, 2024
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.46.1-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.46.1-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.46.1-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.46.1-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.46.1-0ubuntu0.22.04.3
libjavascriptcoregtk-4.1-0 2.46.1-0ubuntu0.22.04.3
libjavascriptcoregtk-6.0-1 2.46.1-0ubuntu0.22.04.3
libwebkit2gtk-4.0-37 2.46.1-0ubuntu0.22.04.3
libwebkit2gtk-4.1-0 2.46.1-0ubuntu0.22.04.3
libwebkitgtk-6.0-4 2.46.1-0ubuntu0.22.04.3
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7079-1
CVE-2024-40866, CVE-2024-44187
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.22.04.3
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcX0CcACgkQZWnYVadE
vpNaPxAAjkShVjc4aMLPVPjQhD0u1hTX6JBIM42pmiP5dciPyezjtgRphDCXAGt1
xY4Sg0aLhSiy91mWxJ7KLfhmm+1yXQ2zSUSbmGYTFRtls7h9TOm4TUWj4jCpW2/9
q3tB4Y7ovLpYmHtxI2QghDU6lmpFVkhSMI6LZ2IV1LNinYfkA9PZVMlBo+WNgrBK
GDwNG5ai03nlah/HVbchEXX2ypZV+4E7MF/8oYsbM6nMRtxGHTiEtbjZOnhE58SI
SZ7ffytGqdQCcySUxS8ddxVUSHsX0LHGbZbr0ECoppjPHwR7FLFoWeJOmZsnmXfR
jG4LyZiTF5EBzVOFDZwvTWUfdw9RR4cGKXGislCVb9ZUPDolgEE3Dwoei+2Jrq6C
HULJBvEcFCg6lo/7zMYSGv/WJ1/QdsyOuteCRHlIl3XLA1Jq40F154A1jBqCPvqy
I0QquKxhhdvLvtv2ZJJpkIYlpWe8Ckw7RnMK0HRga/h7OMZfLAAeNt7/XvZJ0ASF
WPbugMatWGyYPaHybbpWwC5SCvTximQvwCzluKxfHifHXYN8NuAelnFwwqD2ebdQ
pzZyXqRiekPcz0fh5xqSoFtrU0m6ZNuVuBIV3S/o1I5Tc9grtxQ/LhwYwp4w1JtQ
7KiuEct9TZwAaMu9e8N7XBeC+X9U8WhgRTMcSqDO2mV9px39e0Q=
=kCqT
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7079-1
October 22, 2024
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.46.1-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.46.1-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.46.1-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.46.1-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.46.1-0ubuntu0.22.04.3
libjavascriptcoregtk-4.1-0 2.46.1-0ubuntu0.22.04.3
libjavascriptcoregtk-6.0-1 2.46.1-0ubuntu0.22.04.3
libwebkit2gtk-4.0-37 2.46.1-0ubuntu0.22.04.3
libwebkit2gtk-4.1-0 2.46.1-0ubuntu0.22.04.3
libwebkitgtk-6.0-4 2.46.1-0ubuntu0.22.04.3
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7079-1
CVE-2024-40866, CVE-2024-44187
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.1-0ubuntu0.22.04.3
[USN-7080-1] Unbound vulnerability
-----BEGIN PGP SIGNATURE-----
wnsEABYIACMWIQSV2d7RU755utSnx3O7Ba3EKYsoKQUCZxevIQUDAAAAAAAKCRC7Ba3EKYsoKXu0
AQCTTOKndcg2SAHYiKxHBF9ftDe5+UqJq5fBjtN5Z3en3AEA3MAYr8BflEtab65TnkaLXQ9C73WF
QwVJWl75pxJ1IAo=
=4sec
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7080-1
October 22, 2024
unbound vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Unbound could be made to stop responding if it received specially crafted
DNS traffic.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
Toshifumi Sakaguchi discovered that Unbound incorrectly handled name
compression for large RRsets, which could lead to excessive CPU usage.
An attacker could potentially use this issue to cause a denial of service
by sending specially crafted DNS responses.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libunbound8 1.20.0-1ubuntu2.1
unbound 1.20.0-1ubuntu2.1
Ubuntu 24.04 LTS
libunbound8 1.19.2-1ubuntu3.3
unbound 1.19.2-1ubuntu3.3
Ubuntu 22.04 LTS
libunbound8 1.13.1-1ubuntu5.8
unbound 1.13.1-1ubuntu5.8
Ubuntu 20.04 LTS
libunbound8 1.9.4-2ubuntu1.9
unbound 1.9.4-2ubuntu1.9
Ubuntu 18.04 LTS
libunbound2 1.6.7-1ubuntu2.6+esm3
Available with Ubuntu Pro
unbound 1.6.7-1ubuntu2.6+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libunbound2 1.5.8-1ubuntu1.1+esm2
Available with Ubuntu Pro
unbound 1.5.8-1ubuntu1.1+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libunbound2 1.4.22-1ubuntu4.14.04.3+esm2
Available with Ubuntu Pro
unbound 1.4.22-1ubuntu4.14.04.3+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7080-1
CVE-2024-8508
Package Information:
https://launchpad.net/ubuntu/+source/unbound/1.20.0-1ubuntu2.1
https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.3
https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.8
https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.9
wnsEABYIACMWIQSV2d7RU755utSnx3O7Ba3EKYsoKQUCZxevIQUDAAAAAAAKCRC7Ba3EKYsoKXu0
AQCTTOKndcg2SAHYiKxHBF9ftDe5+UqJq5fBjtN5Z3en3AEA3MAYr8BflEtab65TnkaLXQ9C73WF
QwVJWl75pxJ1IAo=
=4sec
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7080-1
October 22, 2024
unbound vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Unbound could be made to stop responding if it received specially crafted
DNS traffic.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
Toshifumi Sakaguchi discovered that Unbound incorrectly handled name
compression for large RRsets, which could lead to excessive CPU usage.
An attacker could potentially use this issue to cause a denial of service
by sending specially crafted DNS responses.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libunbound8 1.20.0-1ubuntu2.1
unbound 1.20.0-1ubuntu2.1
Ubuntu 24.04 LTS
libunbound8 1.19.2-1ubuntu3.3
unbound 1.19.2-1ubuntu3.3
Ubuntu 22.04 LTS
libunbound8 1.13.1-1ubuntu5.8
unbound 1.13.1-1ubuntu5.8
Ubuntu 20.04 LTS
libunbound8 1.9.4-2ubuntu1.9
unbound 1.9.4-2ubuntu1.9
Ubuntu 18.04 LTS
libunbound2 1.6.7-1ubuntu2.6+esm3
Available with Ubuntu Pro
unbound 1.6.7-1ubuntu2.6+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libunbound2 1.5.8-1ubuntu1.1+esm2
Available with Ubuntu Pro
unbound 1.5.8-1ubuntu1.1+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libunbound2 1.4.22-1ubuntu4.14.04.3+esm2
Available with Ubuntu Pro
unbound 1.4.22-1ubuntu4.14.04.3+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7080-1
CVE-2024-8508
Package Information:
https://launchpad.net/ubuntu/+source/unbound/1.20.0-1ubuntu2.1
https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.3
https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.8
https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.9
[USN-7078-1] Firefox vulnerability
==========================================================================
Ubuntu Security Notice USN-7078-1
October 22, 2024
firefox vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Firefox could be made to crash or run programs as your login
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Atte Kettunen discovered that Firefox did not properly validate before
inserting ranges into the selection node cache. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
firefox 131.0.3+build1-0ubuntu0.20.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-7078-1
CVE-2024-9936
Package Information:
https://launchpad.net/ubuntu/+source/firefox/131.0.3+build1-0ubuntu0.20.04.1
Ubuntu Security Notice USN-7078-1
October 22, 2024
firefox vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Firefox could be made to crash or run programs as your login
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Atte Kettunen discovered that Firefox did not properly validate before
inserting ranges into the selection node cache. An attacker could possibly
use this issue to cause a denial of service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
firefox 131.0.3+build1-0ubuntu0.20.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-7078-1
CVE-2024-9936
Package Information:
https://launchpad.net/ubuntu/+source/firefox/131.0.3+build1-0ubuntu0.20.04.1
Monday, October 21, 2024
[USN-7072-2] Linux kernel (GKE) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmcWjkwFAwAAAAAACgkQZ0GeRcM5nt2b
qwf9ExV9WyDqOowrU8y3P/aHuPIRICGF6BwiRDbBDBQJrpo7u9Vt1MY7vpxJe6/9lsiKv2Wpp6nc
JOWVyq2trvSGzeI4GnDiRdgo5LXoDk82wRNojKEF7CDRMC/Ss3kDFx/BlYSb1RlMovtc0U7fbBLH
NIj27zi5rbM+wkZjSxyBjmq7+8qRYfx/EtCODCDEH3KzMg0dAbSN25sWeAdSbtHOinrfiyhoqIDJ
gz7bt6fipRwJXGiqizPmNmsv/8zh20FVDliqN+hVCA2p0A79VqHtTqrKQ+pqsxrtkPuWrQKLiPYq
i3AC0wOSw2efrQImxIpPSsqd7IFN2xn2DE0AsJbLIg==
=/Z5C
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7072-2
October 21, 2024
linux-gke vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Watchdog drivers;
- Netfilter;
- Network traffic control;
(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1068-gke 5.15.0-1068.74
linux-image-gke 5.15.0.1068.67
linux-image-gke-5.15 5.15.0.1068.67
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7072-2
https://ubuntu.com/security/notices/USN-7072-1
CVE-2024-27397, CVE-2024-38630, CVE-2024-45016
Package Information:
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1068.74
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmcWjkwFAwAAAAAACgkQZ0GeRcM5nt2b
qwf9ExV9WyDqOowrU8y3P/aHuPIRICGF6BwiRDbBDBQJrpo7u9Vt1MY7vpxJe6/9lsiKv2Wpp6nc
JOWVyq2trvSGzeI4GnDiRdgo5LXoDk82wRNojKEF7CDRMC/Ss3kDFx/BlYSb1RlMovtc0U7fbBLH
NIj27zi5rbM+wkZjSxyBjmq7+8qRYfx/EtCODCDEH3KzMg0dAbSN25sWeAdSbtHOinrfiyhoqIDJ
gz7bt6fipRwJXGiqizPmNmsv/8zh20FVDliqN+hVCA2p0A79VqHtTqrKQ+pqsxrtkPuWrQKLiPYq
i3AC0wOSw2efrQImxIpPSsqd7IFN2xn2DE0AsJbLIg==
=/Z5C
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7072-2
October 21, 2024
linux-gke vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Watchdog drivers;
- Netfilter;
- Network traffic control;
(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1068-gke 5.15.0-1068.74
linux-image-gke 5.15.0.1068.67
linux-image-gke-5.15 5.15.0.1068.67
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7072-2
https://ubuntu.com/security/notices/USN-7072-1
CVE-2024-27397, CVE-2024-38630, CVE-2024-45016
Package Information:
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1068.74
[USN-7062-2] libgsf vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcWb80ACgkQZWnYVadE
vpMZxg//QSlJpXNd8mIjLdS1b58Tiub++HKyaAfAsPpzPJjjJwB54xFNZt0bV5Ef
GIN/+wqaS96VSuCJqPqwUBOKU4wciee5Cp0ZNF6dAtozzIPmlcyQTwLLpvyNKg1x
w7mj9TCbibCA2BdFeJxrnXF8cnm0UPl8+KU5degAGEGai/43pharYtsAof3KtsVB
N0iYJJ4jFvlRg/vZGXwENPZKntpgda/5HrbccmMzStiQSWtwpNoJ63je+AwSwUnv
ySfSrvN9x+FDzkc4InILVhN3z2NUsy9GS6S77tyLgdmnudb3GWKe8nNvm7W9ixy6
zRVrmjCedVdKVGXaAsZgvuvBIq1aS41Wi/H+ETgSojbQCHNv69n9dbizcD0M89Ce
tFeqyXrTEbyW39yEndr2oyL2ttMiK6TeCdq8Y/ll/Yc4UjIWRfRJXCIORPhWvo9K
+t2agr/CWsbvL4cLd2GV295GwpqDF2UvQ+QEEnDsZrlGiX0lhhLLcPhzDdo5yO4J
0oMPlIhiq8Jie0Hc4wcV5NR7oS8rkK/gewz6KJDR043LlTBdtvbzwl15OqvzuKU6
DrD7hfQqKEqTxnz66rblNj4w56Or5cyvfFN8MtCy2UaDN9s4StMCH3Mj66CPwm6/
XKbDD+LlaWox676MQlqIELtN2eRy0wy/bnx2svp5rcdzOXLoI1Q=
=I4vm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7062-2
October 21, 2024
libgsf vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
libgsf could be made to run programs as your login if it opened a specially
crafted file.
Software Description:
- libgsf: GObject introspection data for the Structured File Library
Details:
USN-7062-1 fixed vulnerabilities in libgsf. This update provides the
corresponding updates for Ubuntu 24.10.
Original advisory details:
It was discovered that libgsf incorrectly handled certain Compound
Document Binary files. If a user or automated system were tricked into
opening a specially crafted file, a remote attacker could possibly use
this issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libgsf-1-114 1.14.52-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7062-2
https://ubuntu.com/security/notices/USN-7062-1
CVE-2024-36474, CVE-2024-42415
Package Information:
https://launchpad.net/ubuntu/+source/libgsf/1.14.52-1ubuntu0.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcWb80ACgkQZWnYVadE
vpMZxg//QSlJpXNd8mIjLdS1b58Tiub++HKyaAfAsPpzPJjjJwB54xFNZt0bV5Ef
GIN/+wqaS96VSuCJqPqwUBOKU4wciee5Cp0ZNF6dAtozzIPmlcyQTwLLpvyNKg1x
w7mj9TCbibCA2BdFeJxrnXF8cnm0UPl8+KU5degAGEGai/43pharYtsAof3KtsVB
N0iYJJ4jFvlRg/vZGXwENPZKntpgda/5HrbccmMzStiQSWtwpNoJ63je+AwSwUnv
ySfSrvN9x+FDzkc4InILVhN3z2NUsy9GS6S77tyLgdmnudb3GWKe8nNvm7W9ixy6
zRVrmjCedVdKVGXaAsZgvuvBIq1aS41Wi/H+ETgSojbQCHNv69n9dbizcD0M89Ce
tFeqyXrTEbyW39yEndr2oyL2ttMiK6TeCdq8Y/ll/Yc4UjIWRfRJXCIORPhWvo9K
+t2agr/CWsbvL4cLd2GV295GwpqDF2UvQ+QEEnDsZrlGiX0lhhLLcPhzDdo5yO4J
0oMPlIhiq8Jie0Hc4wcV5NR7oS8rkK/gewz6KJDR043LlTBdtvbzwl15OqvzuKU6
DrD7hfQqKEqTxnz66rblNj4w56Or5cyvfFN8MtCy2UaDN9s4StMCH3Mj66CPwm6/
XKbDD+LlaWox676MQlqIELtN2eRy0wy/bnx2svp5rcdzOXLoI1Q=
=I4vm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7062-2
October 21, 2024
libgsf vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
libgsf could be made to run programs as your login if it opened a specially
crafted file.
Software Description:
- libgsf: GObject introspection data for the Structured File Library
Details:
USN-7062-1 fixed vulnerabilities in libgsf. This update provides the
corresponding updates for Ubuntu 24.10.
Original advisory details:
It was discovered that libgsf incorrectly handled certain Compound
Document Binary files. If a user or automated system were tricked into
opening a specially crafted file, a remote attacker could possibly use
this issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libgsf-1-114 1.14.52-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7062-2
https://ubuntu.com/security/notices/USN-7062-1
CVE-2024-36474, CVE-2024-42415
Package Information:
https://launchpad.net/ubuntu/+source/libgsf/1.14.52-1ubuntu0.1
[USN-7042-3] cups-browsed vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcWb7MACgkQZWnYVadE
vpPmTBAAgTWBjsQ5y47UBpPyOlOppSIAx4S9dUAsKlIcylR4t6wTmCyhoLwLLEdY
ovWLQM6T1DFNdoOePMYYNElCF23gQtrRNxv70xTLe9npzyHpov9jagIf/zBY4bPa
udLgp4nS2WLyhO0IXaeOhYkTYJbrqIru13ufKLtFQGMbQN2OSCfTu/ujKR+NdWOi
aJuy81xuDNUWw6SMmvFa8K74AGOt+PaTtghP4GfuSvMC/IDwAvl19fupYTsXLDaz
VHn4zGXaOU1YIAAkwPVmV4i1KRi0qQ8Dk2IJYCGEUuBsJ2iKKJVJMFX4Gcj0CabN
2fJLPd2eJfIkuIfLHDw/2t7u0LtRhjqWMqAIcZVsExQvWakEsdQ6hn/rvQ/lN6rw
uoq34difldCP6I1KAEKUVRhSZJb86GuKDrBiciHcclpYErDfmkaXtRrFJejYlzKI
hRtxGJihVE4fUzG+qo5Fv/mN6lpwfi+Ll+tQKVIUYRpkwgfcZYZurnzTCr2M7ZAR
DLEDGRHIYGupeeC9omhk+TKwhmcHly491g3P6TmFqUXTw5jkofRCO3AdzndPwMXc
pmVJu+uSP9bv9pwmkBJsPFcwYoKOe7DwtgVALiK/FND9+6pZxcWseFStp5LYje9e
AjE5KVTgc2cGfuJVtFYgdv4S1OE0YaT2LriKRFus603lcZZ43UU=
=LIPN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7042-3
October 21, 2024
cups-browsed vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
cups-browsed could be made to run programs if it received specially crafted
network traffic.
Software Description:
- cups-browsed: OpenPrinting cups-browsed
Details:
USN-7042-2 released an improved fix for cups-browsed. This update provides
the corresponding update for Ubuntu 24.10.
Original advisory details:
Simone Margaritelli discovered that cups-browsed could be used to create
arbitrary printers from outside the local network. In combination with
issues in other printing components, a remote attacker could possibly use
this issue to connect to a system, created manipulated PPD files, and
execute arbitrary code when a printer is used. This update disables
support for the legacy CUPS printer discovery protocol.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
cups-browsed 2.0.1-0ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7042-3
https://ubuntu.com/security/notices/USN-7042-2
https://ubuntu.com/security/notices/USN-7042-1
CVE-2024-47176
Package Information:
https://launchpad.net/ubuntu/+source/cups-browsed/2.0.1-0ubuntu2.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmcWb7MACgkQZWnYVadE
vpPmTBAAgTWBjsQ5y47UBpPyOlOppSIAx4S9dUAsKlIcylR4t6wTmCyhoLwLLEdY
ovWLQM6T1DFNdoOePMYYNElCF23gQtrRNxv70xTLe9npzyHpov9jagIf/zBY4bPa
udLgp4nS2WLyhO0IXaeOhYkTYJbrqIru13ufKLtFQGMbQN2OSCfTu/ujKR+NdWOi
aJuy81xuDNUWw6SMmvFa8K74AGOt+PaTtghP4GfuSvMC/IDwAvl19fupYTsXLDaz
VHn4zGXaOU1YIAAkwPVmV4i1KRi0qQ8Dk2IJYCGEUuBsJ2iKKJVJMFX4Gcj0CabN
2fJLPd2eJfIkuIfLHDw/2t7u0LtRhjqWMqAIcZVsExQvWakEsdQ6hn/rvQ/lN6rw
uoq34difldCP6I1KAEKUVRhSZJb86GuKDrBiciHcclpYErDfmkaXtRrFJejYlzKI
hRtxGJihVE4fUzG+qo5Fv/mN6lpwfi+Ll+tQKVIUYRpkwgfcZYZurnzTCr2M7ZAR
DLEDGRHIYGupeeC9omhk+TKwhmcHly491g3P6TmFqUXTw5jkofRCO3AdzndPwMXc
pmVJu+uSP9bv9pwmkBJsPFcwYoKOe7DwtgVALiK/FND9+6pZxcWseFStp5LYje9e
AjE5KVTgc2cGfuJVtFYgdv4S1OE0YaT2LriKRFus603lcZZ43UU=
=LIPN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7042-3
October 21, 2024
cups-browsed vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
cups-browsed could be made to run programs if it received specially crafted
network traffic.
Software Description:
- cups-browsed: OpenPrinting cups-browsed
Details:
USN-7042-2 released an improved fix for cups-browsed. This update provides
the corresponding update for Ubuntu 24.10.
Original advisory details:
Simone Margaritelli discovered that cups-browsed could be used to create
arbitrary printers from outside the local network. In combination with
issues in other printing components, a remote attacker could possibly use
this issue to connect to a system, created manipulated PPD files, and
execute arbitrary code when a printer is used. This update disables
support for the legacy CUPS printer discovery protocol.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
cups-browsed 2.0.1-0ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7042-3
https://ubuntu.com/security/notices/USN-7042-2
https://ubuntu.com/security/notices/USN-7042-1
CVE-2024-47176
Package Information:
https://launchpad.net/ubuntu/+source/cups-browsed/2.0.1-0ubuntu2.1
F42 Change Proposal: Retire zbus v1 (system-wide)
Wiki - https://fedoraproject.org/wiki/Changes/RetireZbusV1
Discussion thread -
https://discussion.fedoraproject.org/t/f42-change-proposal-retire-zbus-v1f/134265
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
The packages for v1 of the zbus crate (and the packages for v2 of the
zvariant crate) will be retired from Fedora 42. Dependent packages are
to be ported to a non-obsolete version of these libraries (i.e. zbus
v4 or v5) or to be retired as well.
== Owner ==
* Name: [[User:Decathorpe| Fabio Valentini]] for the Rust SIG
* Email: decathorpe@gmail.com
* Email: rust@lists.fedoraproject.org
== Detailed Description ==
Fedora includes packages for different versions of the zbus crate. The
packages for zbus v3 were recently retired from Fedora 42 since the
last package that used this version was ported to v4. However, there
are still a few packages left that depend on the long-obsolete zbus
v1, and tickets have been filed (or did already exist) about updating
the zbus dependency:
* `nmstate` - https://github.com/nmstate/nmstate/issues/2803
* `rust-libslirp` - https://gitlab.freedesktop.org/slirp/libslirp-rs/-/issues/5
* `squeekboard` - https://gitlab.gnome.org/World/Phosh/squeekboard/-/issues/378
We cannot continue to maintain packages for obsolete versions of the
zbus and zvariant crates indefinitely. These packages in turn pull in
dependencies that are increasingly outdated compared to other packages
in Fedora, including a lot of compat packages for older alternative
versions of existing Rust packages:
* `rust-async-io` v1 compat package (current: v2)
* `rust-async-lock` v2 compat package (current: v3)
* `rust-bitflags` v1 compat package (current: v2)
* `rust-enumflags2` v0.6 compat package (current: v0.7)
* `rust-enumflags_derive2` v0.6 compat package (current: v0.7)
* `rust-event-listener` v2 compat package (current: v5)
* `rust-futures-lite` v1 compat package (current: v2)
* `rust-io-lifetimes` v1 compat package (current: v2)
* `rust-linux-raw-sys` v0.3 compat package (current: v0.6)
* `rust-memoffset` v0.6 compat package (current: v0.9)
* `rust-nix` v0.22 compat package (current: v0.29)
* `rust-polling` v2 compat package (current: v3)
* `rust-proc-macro-crate` v0.1 compat package (current: v3)
* `rust-proc-macro-crate` v1 compat package (current: v3)
* `rust-rustix` v0.37 compat package (current: v0.38)
* `rust-socket2` v0.4 compat package (current: v0.5)
* `rust-syn` v1 compat package (current: v2)
* `rust-toml` v0.5 compat package (current: v0.8)
* `rust-toml_edit` v0.19 compat package (current: v0.22)
* `rust-winnow` v0.5 (current: 0.6)
And in turn, these compat packages pull in even more old and / or
obsolete packages.
Additionally, versions of zbus / zvariant before zbus v3.14 / zvariant
3.15 have known bugs on 32-bit systems and test failures on big-endian
systems: https://github.com/dbus2/zbus/pull/362
== Feedback ==
== Benefit to Fedora ==
Implementing this change will allow the Rust SIG to drop potentially
dozens of obsolete libraries and / or old compat packages from the
distribution. Making the dependency graph less "dense" makes
maintenance work easier due to fewer inter-dependencies that need to
be taken into account when pushing library updates.
Additionally, packages for old versions of crates often require
ongoing maintenance due to new rustc compiler errors, or require fixes
for compatibility with new versions of cargo. As a result, dropping
old packages frees up time that package maintainers could spend on
more useful work. Dropping obsolete packages from the distribution
also has indirect benefits, like reduced load on Fedora infrastructure
(koschei CI, mass rebuilds, etc.).
While none of the packages included in the list above are listed as
"vulnerable" in the RUSTSEC database, this database is not exhaustive,
and many packages in this list contain "unsafe" code that could
contain soundness problems that were just not submitted to RUSTSEC for
classification.
== Scope ==
* Proposal owners:
Retire `rust-zbus1`, `rust-zbus_macros1`, `rust-zvariant2`,
`rust-zvariant_derive2` from Fedora Rawhide / Fedora 42, at the latest
before the start of the Final Freeze for Fedora 42.
* Other developers:
Port packages that depend on zbus v1 to zbus >= v4, work with upstream
projects to do the same, or retire dependent packages.
Porting from zbus v1 to newer versions requires some code changes to
to API changes in zbus >= v2, which might or might not be trivial. For
example, this is the PR for system-76-keyboard-configurator to port it
from zbus v1 to v3 (with fewer required changes between zbus v3 and
v4): https://github.com/pop-os/keyboard-configurator/pull/221
* Release engineering:
N/A (just ensure that retired packages are removed from repositories /
blocked in koji correctly, but this is already covered by normal
Release Engineering processes)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
Dropping obsolete packages makes it easier for new contributors to
start working on the Rust stack in Fedora.
== Upgrade/compatibility impact ==
Rust library packages are not intended to be installed on end-user
systems, and are almost exclusively installed in ephemeral build
environments (i.e. mock chroots).
If any of the dependent packages (`nmstate`, `rust-libslirp`,
`squeekboard`) is retired, they can be added to
fedora-obsolete-packages. But since Rust crates are statically linked
and are not a dependency for built packages, this is not strictly
necessary.
== How To Test ==
None of the packages built from the following sources packages should
be available for installation on Fedora 42:
* rust-zbus1 (`rust-zbus1-devel`, `rust-zbus1+*-devel`)
* rust-zbus_macros1 (`rust-zbus_macros1-devel`, `rust-zbus_macros1+*-devel`)
* rust-zvariant2 (`rust-zvariant2-devel`, `rust-zvariant2+*-devel`)
* rust-zvariant_derive2 (`rust-zvariant_derive2-devel`,
`rust-zvariant_derive2+*-devel`)
== User Experience ==
N/A (not a user-facing change)
== Dependencies ==
There are three applications that currently depend on zbus v1:
* nmstate
* libslirp-helper (from rust-libslirp) - apparently obsoleted by passt?
* squeekboard
They will need to be ported to a newer version of zbus (ideally, zbus
v4, which is what is currently shipped by Fedora, though zbus v5 has
already been released as of October 18, 2024).
== Contingency Plan ==
* Contingency mechanism: packages for zbus v1 and zvariant v2 will not
be retired (or will be un-retired if already retired)
* Contingency deadline: Final Freeze
* Blocks release? No
== Documentation ==
* zbus / zvariant release notes on GitHub:
https://github.com/dbus2/zbus/releases
== Release Notes ==
N/A (not a user-facing change)
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Discussion thread -
https://discussion.fedoraproject.org/t/f42-change-proposal-retire-zbus-v1f/134265
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
The packages for v1 of the zbus crate (and the packages for v2 of the
zvariant crate) will be retired from Fedora 42. Dependent packages are
to be ported to a non-obsolete version of these libraries (i.e. zbus
v4 or v5) or to be retired as well.
== Owner ==
* Name: [[User:Decathorpe| Fabio Valentini]] for the Rust SIG
* Email: decathorpe@gmail.com
* Email: rust@lists.fedoraproject.org
== Detailed Description ==
Fedora includes packages for different versions of the zbus crate. The
packages for zbus v3 were recently retired from Fedora 42 since the
last package that used this version was ported to v4. However, there
are still a few packages left that depend on the long-obsolete zbus
v1, and tickets have been filed (or did already exist) about updating
the zbus dependency:
* `nmstate` - https://github.com/nmstate/nmstate/issues/2803
* `rust-libslirp` - https://gitlab.freedesktop.org/slirp/libslirp-rs/-/issues/5
* `squeekboard` - https://gitlab.gnome.org/World/Phosh/squeekboard/-/issues/378
We cannot continue to maintain packages for obsolete versions of the
zbus and zvariant crates indefinitely. These packages in turn pull in
dependencies that are increasingly outdated compared to other packages
in Fedora, including a lot of compat packages for older alternative
versions of existing Rust packages:
* `rust-async-io` v1 compat package (current: v2)
* `rust-async-lock` v2 compat package (current: v3)
* `rust-bitflags` v1 compat package (current: v2)
* `rust-enumflags2` v0.6 compat package (current: v0.7)
* `rust-enumflags_derive2` v0.6 compat package (current: v0.7)
* `rust-event-listener` v2 compat package (current: v5)
* `rust-futures-lite` v1 compat package (current: v2)
* `rust-io-lifetimes` v1 compat package (current: v2)
* `rust-linux-raw-sys` v0.3 compat package (current: v0.6)
* `rust-memoffset` v0.6 compat package (current: v0.9)
* `rust-nix` v0.22 compat package (current: v0.29)
* `rust-polling` v2 compat package (current: v3)
* `rust-proc-macro-crate` v0.1 compat package (current: v3)
* `rust-proc-macro-crate` v1 compat package (current: v3)
* `rust-rustix` v0.37 compat package (current: v0.38)
* `rust-socket2` v0.4 compat package (current: v0.5)
* `rust-syn` v1 compat package (current: v2)
* `rust-toml` v0.5 compat package (current: v0.8)
* `rust-toml_edit` v0.19 compat package (current: v0.22)
* `rust-winnow` v0.5 (current: 0.6)
And in turn, these compat packages pull in even more old and / or
obsolete packages.
Additionally, versions of zbus / zvariant before zbus v3.14 / zvariant
3.15 have known bugs on 32-bit systems and test failures on big-endian
systems: https://github.com/dbus2/zbus/pull/362
== Feedback ==
== Benefit to Fedora ==
Implementing this change will allow the Rust SIG to drop potentially
dozens of obsolete libraries and / or old compat packages from the
distribution. Making the dependency graph less "dense" makes
maintenance work easier due to fewer inter-dependencies that need to
be taken into account when pushing library updates.
Additionally, packages for old versions of crates often require
ongoing maintenance due to new rustc compiler errors, or require fixes
for compatibility with new versions of cargo. As a result, dropping
old packages frees up time that package maintainers could spend on
more useful work. Dropping obsolete packages from the distribution
also has indirect benefits, like reduced load on Fedora infrastructure
(koschei CI, mass rebuilds, etc.).
While none of the packages included in the list above are listed as
"vulnerable" in the RUSTSEC database, this database is not exhaustive,
and many packages in this list contain "unsafe" code that could
contain soundness problems that were just not submitted to RUSTSEC for
classification.
== Scope ==
* Proposal owners:
Retire `rust-zbus1`, `rust-zbus_macros1`, `rust-zvariant2`,
`rust-zvariant_derive2` from Fedora Rawhide / Fedora 42, at the latest
before the start of the Final Freeze for Fedora 42.
* Other developers:
Port packages that depend on zbus v1 to zbus >= v4, work with upstream
projects to do the same, or retire dependent packages.
Porting from zbus v1 to newer versions requires some code changes to
to API changes in zbus >= v2, which might or might not be trivial. For
example, this is the PR for system-76-keyboard-configurator to port it
from zbus v1 to v3 (with fewer required changes between zbus v3 and
v4): https://github.com/pop-os/keyboard-configurator/pull/221
* Release engineering:
N/A (just ensure that retired packages are removed from repositories /
blocked in koji correctly, but this is already covered by normal
Release Engineering processes)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:
Dropping obsolete packages makes it easier for new contributors to
start working on the Rust stack in Fedora.
== Upgrade/compatibility impact ==
Rust library packages are not intended to be installed on end-user
systems, and are almost exclusively installed in ephemeral build
environments (i.e. mock chroots).
If any of the dependent packages (`nmstate`, `rust-libslirp`,
`squeekboard`) is retired, they can be added to
fedora-obsolete-packages. But since Rust crates are statically linked
and are not a dependency for built packages, this is not strictly
necessary.
== How To Test ==
None of the packages built from the following sources packages should
be available for installation on Fedora 42:
* rust-zbus1 (`rust-zbus1-devel`, `rust-zbus1+*-devel`)
* rust-zbus_macros1 (`rust-zbus_macros1-devel`, `rust-zbus_macros1+*-devel`)
* rust-zvariant2 (`rust-zvariant2-devel`, `rust-zvariant2+*-devel`)
* rust-zvariant_derive2 (`rust-zvariant_derive2-devel`,
`rust-zvariant_derive2+*-devel`)
== User Experience ==
N/A (not a user-facing change)
== Dependencies ==
There are three applications that currently depend on zbus v1:
* nmstate
* libslirp-helper (from rust-libslirp) - apparently obsoleted by passt?
* squeekboard
They will need to be ported to a newer version of zbus (ideally, zbus
v4, which is what is currently shipped by Fedora, though zbus v5 has
already been released as of October 18, 2024).
== Contingency Plan ==
* Contingency mechanism: packages for zbus v1 and zvariant v2 will not
be retired (or will be un-retired if already retired)
* Contingency deadline: Final Freeze
* Blocks release? No
== Documentation ==
* zbus / zvariant release notes on GitHub:
https://github.com/dbus2/zbus/releases
== Release Notes ==
N/A (not a user-facing change)
--
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Sunday, October 20, 2024
[USN-7077-1] AMD Microcode vulnerability
==========================================================================
Ubuntu Security Notice USN-7077-1
October 21, 2024
amd64-microcode vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
AMD processors may allow a privileged local attacker to further escalate their
privileged and execute arbitrary code within the processor's firmware layer.
Software Description:
- amd64-microcode: Platform firmware and microcode for AMD CPUs and SoCs
Details:
Enrique Nissim and Krzysztof Okupski discovered that some AMD processors
did not properly restrict access to the System Management Mode (SMM)
configuration when the SMM Lock was enabled. A privileged local attacker
could possibly use this issue to further escalate their privileges and
execute arbitrary code within the processor's firmware layer.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
amd64-microcode 3.20240116.2+nmu1ubuntu1.1
Ubuntu 24.04 LTS
amd64-microcode 3.20231019.1ubuntu2.1
Ubuntu 22.04 LTS
amd64-microcode 3.20191218.1ubuntu2.3
Ubuntu 20.04 LTS
amd64-microcode 3.20191218.1ubuntu1.3
Ubuntu 18.04 LTS
amd64-microcode 3.20191021.1+really3.20181128.1~ubuntu0.18.04.1+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
amd64-microcode 3.20191021.1+really3.20180524.1~ubuntu0.16.04.2+esm3
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7077-1
CVE-2023-31315
Package Information:
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20240116.2+nmu1ubuntu1.1
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20231019.1ubuntu2.1
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20191218.1ubuntu2.3
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20191218.1ubuntu1.3
Ubuntu Security Notice USN-7077-1
October 21, 2024
amd64-microcode vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
AMD processors may allow a privileged local attacker to further escalate their
privileged and execute arbitrary code within the processor's firmware layer.
Software Description:
- amd64-microcode: Platform firmware and microcode for AMD CPUs and SoCs
Details:
Enrique Nissim and Krzysztof Okupski discovered that some AMD processors
did not properly restrict access to the System Management Mode (SMM)
configuration when the SMM Lock was enabled. A privileged local attacker
could possibly use this issue to further escalate their privileges and
execute arbitrary code within the processor's firmware layer.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
amd64-microcode 3.20240116.2+nmu1ubuntu1.1
Ubuntu 24.04 LTS
amd64-microcode 3.20231019.1ubuntu2.1
Ubuntu 22.04 LTS
amd64-microcode 3.20191218.1ubuntu2.3
Ubuntu 20.04 LTS
amd64-microcode 3.20191218.1ubuntu1.3
Ubuntu 18.04 LTS
amd64-microcode 3.20191021.1+really3.20181128.1~ubuntu0.18.04.1+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
amd64-microcode 3.20191021.1+really3.20180524.1~ubuntu0.16.04.2+esm3
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7077-1
CVE-2023-31315
Package Information:
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20240116.2+nmu1ubuntu1.1
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20231019.1ubuntu2.1
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20191218.1ubuntu2.3
https://launchpad.net/ubuntu/+source/amd64-microcode/3.20191218.1ubuntu1.3
Thursday, October 17, 2024
[USN-7069-2] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmcRSssFAwAAAAAACgkQZ0GeRcM5nt22
sQgAsVfzGcYNnxJMec/Osn99zivHcRr5DRbeL86Xa+BNV/VzrrxVfDb+RTaZLFIO75H3lg4NVIII
a9mjQXYqUrTPM2V9TGsgpEyvXIxIexQf5w9rrAcbxbhd2m1/D78/8DINNDJCJtcI69pWEBP9mpwn
EetnWaSoW8+DyOug1+6ohNkqfFW8aML5T8T11Fm3lJMbU4zO/r3KFWKvE8uXqo8N+t8SIavaZyxb
Cmoky7elYPyJaNpLSJNpCRBzLGO1Qrcyjv1IfZhRLi177feILqvAdqoziTb797FNSDJe7CaS2cay
6kBQrhffZQa1wPv1WvfYmy0jCm/48cRESoiSkrXQuA==
=7I50
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7069-2
October 17, 2024
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;
- Cryptographic API;
- CPU frequency scaling framework;
- HW tracing;
- ISDN/mISDN subsystem;
- Media drivers;
- Network drivers;
- NVME drivers;
- S/390 drivers;
- SCSI drivers;
- USB subsystem;
- VFIO drivers;
- Watchdog drivers;
- JFS file system;
- IRQ subsystem;
- Core kernel;
- Memory management;
- Amateur Radio drivers;
- IPv4 networking;
- IPv6 networking;
- IUCV driver;
- Network traffic control;
- TIPC protocol;
- XFRM subsystem;
- Integrity Measurement Architecture(IMA) framework;
- SoC Audio for Freescale CPUs drivers;
- USB sound devices;
(CVE-2024-36971, CVE-2024-42271, CVE-2024-38630, CVE-2024-38602,
CVE-2024-42223, CVE-2024-44940, CVE-2023-52528, CVE-2024-41097,
CVE-2024-27051, CVE-2024-42157, CVE-2024-46673, CVE-2024-39494,
CVE-2024-42089, CVE-2024-41073, CVE-2024-26810, CVE-2024-26960,
CVE-2024-38611, CVE-2024-31076, CVE-2024-26754, CVE-2023-52510,
CVE-2024-40941, CVE-2024-45016, CVE-2024-38627, CVE-2024-38621,
CVE-2024-39487, CVE-2024-27436, CVE-2024-40901, CVE-2024-26812,
CVE-2024-42244, CVE-2024-42229, CVE-2024-43858, CVE-2024-42280,
CVE-2024-26641, CVE-2024-42284, CVE-2024-26602)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
linux-image-4.15.0-1182-azure 4.15.0-1182.197~16.04.1
Available with Ubuntu Pro
linux-image-azure 4.15.0.1182.197~16.04.1
Available with Ubuntu Pro
Ubuntu 14.04 LTS
linux-image-4.15.0-1182-azure 4.15.0-1182.197~14.04.1
Available with Ubuntu Pro
linux-image-azure 4.15.0.1182.197~14.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7069-2
https://ubuntu.com/security/notices/USN-7069-1
CVE-2023-52510, CVE-2023-52528, CVE-2024-26602, CVE-2024-26641,
CVE-2024-26754, CVE-2024-26810, CVE-2024-26812, CVE-2024-26960,
CVE-2024-27051, CVE-2024-27436, CVE-2024-31076, CVE-2024-36971,
CVE-2024-38602, CVE-2024-38611, CVE-2024-38621, CVE-2024-38627,
CVE-2024-38630, CVE-2024-39487, CVE-2024-39494, CVE-2024-40901,
CVE-2024-40941, CVE-2024-41073, CVE-2024-41097, CVE-2024-42089,
CVE-2024-42157, CVE-2024-42223, CVE-2024-42229, CVE-2024-42244,
CVE-2024-42271, CVE-2024-42280, CVE-2024-42284, CVE-2024-43858,
CVE-2024-44940, CVE-2024-45016, CVE-2024-46673
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmcRSssFAwAAAAAACgkQZ0GeRcM5nt22
sQgAsVfzGcYNnxJMec/Osn99zivHcRr5DRbeL86Xa+BNV/VzrrxVfDb+RTaZLFIO75H3lg4NVIII
a9mjQXYqUrTPM2V9TGsgpEyvXIxIexQf5w9rrAcbxbhd2m1/D78/8DINNDJCJtcI69pWEBP9mpwn
EetnWaSoW8+DyOug1+6ohNkqfFW8aML5T8T11Fm3lJMbU4zO/r3KFWKvE8uXqo8N+t8SIavaZyxb
Cmoky7elYPyJaNpLSJNpCRBzLGO1Qrcyjv1IfZhRLi177feILqvAdqoziTb797FNSDJe7CaS2cay
6kBQrhffZQa1wPv1WvfYmy0jCm/48cRESoiSkrXQuA==
=7I50
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7069-2
October 17, 2024
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;
- Cryptographic API;
- CPU frequency scaling framework;
- HW tracing;
- ISDN/mISDN subsystem;
- Media drivers;
- Network drivers;
- NVME drivers;
- S/390 drivers;
- SCSI drivers;
- USB subsystem;
- VFIO drivers;
- Watchdog drivers;
- JFS file system;
- IRQ subsystem;
- Core kernel;
- Memory management;
- Amateur Radio drivers;
- IPv4 networking;
- IPv6 networking;
- IUCV driver;
- Network traffic control;
- TIPC protocol;
- XFRM subsystem;
- Integrity Measurement Architecture(IMA) framework;
- SoC Audio for Freescale CPUs drivers;
- USB sound devices;
(CVE-2024-36971, CVE-2024-42271, CVE-2024-38630, CVE-2024-38602,
CVE-2024-42223, CVE-2024-44940, CVE-2023-52528, CVE-2024-41097,
CVE-2024-27051, CVE-2024-42157, CVE-2024-46673, CVE-2024-39494,
CVE-2024-42089, CVE-2024-41073, CVE-2024-26810, CVE-2024-26960,
CVE-2024-38611, CVE-2024-31076, CVE-2024-26754, CVE-2023-52510,
CVE-2024-40941, CVE-2024-45016, CVE-2024-38627, CVE-2024-38621,
CVE-2024-39487, CVE-2024-27436, CVE-2024-40901, CVE-2024-26812,
CVE-2024-42244, CVE-2024-42229, CVE-2024-43858, CVE-2024-42280,
CVE-2024-26641, CVE-2024-42284, CVE-2024-26602)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
linux-image-4.15.0-1182-azure 4.15.0-1182.197~16.04.1
Available with Ubuntu Pro
linux-image-azure 4.15.0.1182.197~16.04.1
Available with Ubuntu Pro
Ubuntu 14.04 LTS
linux-image-4.15.0-1182-azure 4.15.0-1182.197~14.04.1
Available with Ubuntu Pro
linux-image-azure 4.15.0.1182.197~14.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7069-2
https://ubuntu.com/security/notices/USN-7069-1
CVE-2023-52510, CVE-2023-52528, CVE-2024-26602, CVE-2024-26641,
CVE-2024-26754, CVE-2024-26810, CVE-2024-26812, CVE-2024-26960,
CVE-2024-27051, CVE-2024-27436, CVE-2024-31076, CVE-2024-36971,
CVE-2024-38602, CVE-2024-38611, CVE-2024-38621, CVE-2024-38627,
CVE-2024-38630, CVE-2024-39487, CVE-2024-39494, CVE-2024-40901,
CVE-2024-40941, CVE-2024-41073, CVE-2024-41097, CVE-2024-42089,
CVE-2024-42157, CVE-2024-42223, CVE-2024-42229, CVE-2024-42244,
CVE-2024-42271, CVE-2024-42280, CVE-2024-42284, CVE-2024-43858,
CVE-2024-44940, CVE-2024-45016, CVE-2024-46673
Subscribe to:
Posts (Atom)