From nishit.majithia at canonical.com Thu May 2 04:58:49 2024 From: nishit.majithia at canonical.com (Nishit Majithia) Date: Thu, 2 May 2024 10:28:49 +0530 Subject: [USN-6747-2] Firefox regressions Message-ID: <20240502045849.qtuqdskjcnikazu2@machine> ========================================================================== Ubuntu Security Notice USN-6747-2 May 02, 2024 firefox regressions ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6747-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6747-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-3852, CVE-2024-3864, CVE-2024-3865) Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3302) Gary Kwong discovered that Firefox did not properly manage memory when running garbage collection during realm initialization. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3853) Lukas Bernhard discovered that Firefox did not properly manage memory during JIT optimisations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3854, CVE-2024-3855) Nan Wang discovered that Firefox did not properly manage memory during WASM garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3856) Lukas Bernhard discovered that Firefox did not properly manage memory when handling JIT created code during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3857) Lukas Bernhard discovered that Firefox did not properly manage memory when tracing in JIT. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3858) Ronald Crane discovered that Firefox did not properly manage memory in the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3859) Garry Kwong discovered that Firefox did not properly manage memory when tracing empty shape lists in JIT. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3860) Ronald Crane discovered that Firefox did not properly manage memory when handling an AlignedBuffer. An attacker could potentially exploit this issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861) Ronald Crane discovered that Firefox did not properly manage memory when handling code in MarkStack. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2024-3862) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 125.0.3+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6747-2 https://ubuntu.com/security/notices/USN-6747-1 https://launchpad.net/bugs/2064553 Package Information: https://launchpad.net/ubuntu/+source/firefox/125.0.3+build1-0ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: From leo.barbosa at canonical.com Thu May 2 14:36:16 2024 From: leo.barbosa at canonical.com (Leonidas S. Barbosa) Date: Thu, 2 May 2024 11:36:16 -0300 Subject: [USN-6762-1] GNU C Library vulnerabilities Message-ID: <20240502143616.GA306247@d4rkl41n> ========================================================================== Ubuntu Security Notice USN-6762-1 May 02, 2024 eglibc, glibc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in GNU C Library. Software Description: - glibc: GNU C Library - eglibc: GNU C Library Details: It was discovered that GNU C Library incorrectly handled netgroup requests. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9984) It was discovered that GNU C Library might allow context-dependent attackers to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-20109) It was discovered that GNU C Library when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. This issue only affected Ubuntu 14.04 LTS. (CVE-2018-11236) It was discovered that the GNU C library getcwd function incorrectly handled buffers. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-3999) Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-2961) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS libc6 2.27-3ubuntu1.6+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS libc6 2.23-0ubuntu11.3+esm6 Available with Ubuntu Pro Ubuntu 14.04 LTS libc6 2.19-0ubuntu6.15+esm3 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6762-1 CVE-2014-9984, CVE-2015-20109, CVE-2018-11236, CVE-2021-3999, CVE-2024-2961, https://launchpad.net/bugs/2063328 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From leo.barbosa at canonical.com Thu May 2 17:51:57 2024 From: leo.barbosa at canonical.com (Leonidas S. Barbosa) Date: Thu, 2 May 2024 14:51:57 -0300 Subject: [USN-6757-2] PHP vulnerabilities Message-ID: <20240502175157.GA485046@d4rkl41n> ========================================================================== Ubuntu Security Notice USN-6757-2 May 02, 2024 php7.4, php8.1, php8.2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php8.2: server-side, HTML-embedded scripting language (metapackage) - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter Details: USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem. Original advisory details: It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-4900) It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to cookie by pass. (CVE-2024-2756) It was discovered that PHP incorrectly handled some passwords. An attacker could possibly use this issue to cause an account takeover attack. (CVE-2024-3096) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 libapache2-mod-php8.2 8.2.10-2ubuntu2.1 php8.2 8.2.10-2ubuntu2.1 php8.2-cgi 8.2.10-2ubuntu2.1 php8.2-cli 8.2.10-2ubuntu2.1 php8.2-fpm 8.2.10-2ubuntu2.1 php8.2-xml 8.2.10-2ubuntu2.1 Ubuntu 22.04 LTS libapache2-mod-php8.1 8.1.2-1ubuntu2.17 php8.1 8.1.2-1ubuntu2.17 php8.1-cgi 8.1.2-1ubuntu2.17 php8.1-cli 8.1.2-1ubuntu2.17 php8.1-fpm 8.1.2-1ubuntu2.17 php8.1-xml 8.1.2-1ubuntu2.17 Ubuntu 20.04 LTS libapache2-mod-php7.4 7.4.3-4ubuntu2.22 php7.4 7.4.3-4ubuntu2.22 php7.4-cgi 7.4.3-4ubuntu2.22 php7.4-cli 7.4.3-4ubuntu2.22 php7.4-fpm 7.4.3-4ubuntu2.22 php7.4-xml 7.4.3-4ubuntu2.22 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6757-2 https://ubuntu.com/security/notices/USN-6757-1 CVE-2022-4900, CVE-2024-2756, CVE-2024-3096 Package Information: https://launchpad.net/ubuntu/+source/php8.2/8.2.10-2ubuntu2.1 https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.17 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.22 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From marc.deslauriers at canonical.com Tue May 7 12:23:40 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 7 May 2024 08:23:40 -0400 Subject: [USN-6763-1] libvirt vulnerability Message-ID: <59db2704-8995-4a36-b980-1f253409c03d@canonical.com> ========================================================================== Ubuntu Security Notice USN-6763-1 May 07, 2024 libvirt vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: libvirt could allow unintended access to the virtproxyd service. Software Description: - libvirt: Libvirt virtualization toolkit Details: Martin Širokov discovered that libvirt incorrectly handled certain memory operations. A local attacker could possibly use this issue to access virtproxyd without authorization. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libvirt-daemon 10.0.0-2ubuntu8.2 libvirt-daemon-system 10.0.0-2ubuntu8.2 libvirt0 10.0.0-2ubuntu8.2 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6763-1 CVE-2024-4418 Package Information: https://launchpad.net/ubuntu/+source/libvirt/10.0.0-2ubuntu8.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 7 15:35:50 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 7 May 2024 12:35:50 -0300 Subject: [USN-6765-1] Linux kernel (OEM) vulnerabilities Message-ID: <04ca9b11-08dd-48b8-b7d6-8a7ccbe073e4@canonical.com> ========================================================================== Ubuntu Security Notice USN-6765-1 May 07, 2024 linux-oem-6.5 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-oem-6.5: Linux kernel for OEM systems Details: Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service (system crash). (CVE-2023-6356, CVE-2023-6535, CVE-2023-6536) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-24860) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - PowerPC architecture; - S390 architecture; - Core kernel; - x86 architecture; - Block layer subsystem; - Cryptographic API; - Android drivers; - Drivers core; - Power management core; - Bus devices; - Hardware random number generator core; - Device frequency; - DMA engine subsystem; - EDAC drivers; - ARM SCMI message protocol; - GPU drivers; - IIO ADC drivers; - InfiniBand drivers; - IOMMU subsystem; - Media drivers; - Multifunction device drivers; - MTD block device drivers; - Network drivers; - NVME drivers; - PCI driver for MicroSemi Switchtec; - x86 platform drivers; - Power supply drivers; - SCSI drivers; - QCOM SoC drivers; - SPMI drivers; - Thermal drivers; - TTY drivers; - VFIO drivers; - BTRFS file system; - Ceph distributed file system; - EFI Variable file system; - EROFS file system; - Ext4 file system; - F2FS file system; - GFS2 file system; - JFS file system; - Network file systems library; - Network file system server daemon; - Pstore file system; - ReiserFS file system; - SMB network file system; - BPF subsystem; - Memory management; - TLS protocol; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - Netfilter; - Network traffic control; - SMC sockets; - Sun RPC protocol; - AppArmor security module; (CVE-2023-52635, CVE-2024-26632, CVE-2023-52468, CVE-2023-52472, CVE-2023-52589, CVE-2024-26671, CVE-2024-26640, CVE-2024-26631, CVE-2023-52489, CVE-2023-52616, CVE-2023-52445, CVE-2023-52463, CVE-2024-26610, CVE-2023-52497, CVE-2023-52453, CVE-2023-52470, CVE-2024-26649, CVE-2023-52583, CVE-2024-26644, CVE-2023-52607, CVE-2023-52587, CVE-2024-26594, CVE-2023-52618, CVE-2023-52495, CVE-2023-52632, CVE-2024-26583, CVE-2023-52633, CVE-2023-52591, CVE-2024-26633, CVE-2023-52627, CVE-2024-26670, CVE-2024-26598, CVE-2024-26592, CVE-2023-52473, CVE-2023-52623, CVE-2023-52446, CVE-2023-52443, CVE-2023-52451, CVE-2024-26629, CVE-2023-52462, CVE-2024-26808, CVE-2023-52598, CVE-2023-52611, CVE-2023-52492, CVE-2023-52456, CVE-2023-52626, CVE-2023-52455, CVE-2024-26641, CVE-2023-52588, CVE-2023-52608, CVE-2024-26618, CVE-2024-26582, CVE-2023-52609, CVE-2023-52604, CVE-2024-26646, CVE-2024-26634, CVE-2023-52469, CVE-2023-52467, CVE-2023-52447, CVE-2024-26623, CVE-2023-52621, CVE-2024-26647, CVE-2024-26615, CVE-2023-52450, CVE-2023-52619, CVE-2023-52610, CVE-2023-52606, CVE-2023-52464, CVE-2023-52465, CVE-2024-26638, CVE-2023-52498, CVE-2024-26625, CVE-2023-52449, CVE-2023-52584, CVE-2023-52454, CVE-2023-52458, CVE-2024-26585, CVE-2024-26669, CVE-2023-52493, CVE-2024-26645, CVE-2024-26607, CVE-2023-52615, CVE-2023-52617, CVE-2024-26612, CVE-2024-26668, CVE-2023-52594, CVE-2023-52612, CVE-2024-26584, CVE-2024-26586, CVE-2024-26616, CVE-2024-26673, CVE-2023-52448, CVE-2024-26620, CVE-2023-52614, CVE-2024-26636, CVE-2023-52602, CVE-2023-52452, CVE-2023-52601, CVE-2024-26635, CVE-2024-26627, CVE-2023-52488, CVE-2023-52487, CVE-2023-52597, CVE-2023-52494, CVE-2023-52444, CVE-2024-26608, CVE-2023-52593, CVE-2023-52491, CVE-2023-52595, CVE-2023-52599, CVE-2024-26595, CVE-2023-52622, CVE-2024-26650, CVE-2024-26614, CVE-2023-52490, CVE-2023-52486, CVE-2023-52457) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-6.5.0-1022-oem 6.5.0-1022.23 linux-image-oem-22.04 6.5.0.1022.24 linux-image-oem-22.04a 6.5.0.1022.24 linux-image-oem-22.04b 6.5.0.1022.24 linux-image-oem-22.04c 6.5.0.1022.24 linux-image-oem-22.04d 6.5.0.1022.24 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6765-1 CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450, CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454, CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458, CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465, CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470, CVE-2023-52472, CVE-2023-52473, CVE-2023-52486, CVE-2023-52487, CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495, CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52584, CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591, CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611, CVE-2023-52612, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622, CVE-2023-52623, CVE-2023-52626, CVE-2023-52627, CVE-2023-52632, CVE-2023-52633, CVE-2023-52635, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536, CVE-2024-2201, CVE-2024-23849, CVE-2024-24860, CVE-2024-26582, CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26586, CVE-2024-26592, CVE-2024-26594, CVE-2024-26595, CVE-2024-26598, CVE-2024-26607, CVE-2024-26608, CVE-2024-26610, CVE-2024-26612, CVE-2024-26614, CVE-2024-26615, CVE-2024-26616, CVE-2024-26618, CVE-2024-26620, CVE-2024-26623, CVE-2024-26625, CVE-2024-26627, CVE-2024-26629, CVE-2024-26631, CVE-2024-26632, CVE-2024-26633, CVE-2024-26634, CVE-2024-26635, CVE-2024-26636, CVE-2024-26638, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26646, CVE-2024-26647, CVE-2024-26649, CVE-2024-26650, CVE-2024-26668, CVE-2024-26669, CVE-2024-26670, CVE-2024-26671, CVE-2024-26673, CVE-2024-26808 Package Information: https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1022.23 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From fabian.toepfer at canonical.com Tue May 7 16:53:20 2024 From: fabian.toepfer at canonical.com (Fabian Toepfer) Date: Tue, 7 May 2024 18:53:20 +0200 Subject: [USN-6754-2] nghttp2 vulnerability Message-ID: <85cd6a10-bccc-4839-8aa5-95437fb25047@canonical.com> ========================================================================== Ubuntu Security Notice USN-6754-2 May 07, 2024 nghttp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in nghttp2. Software Description: - nghttp2: HTTP/2 C Library and tools Details: USN-6754-1 fixed vulnerabilities in nghttp2. This update provides the corresponding update for Ubuntu 24.04 LTS. Original advisory details:  It was discovered that nghttp2 incorrectly handled the HTTP/2  implementation. A remote attacker could possibly use this issue to cause  nghttp2 to consume resources, leading to a denial of service. This issue  only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,  CVE-2019-9513)  It was discovered that nghttp2 incorrectly handled request cancellation. A  remote attacker could possibly use this issue to cause nghttp2 to consume  resources, leading to a denial of service. This issue only affected Ubuntu  16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)  It was discovered that nghttp2 could be made to process an unlimited number  of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this  issue to cause nghttp2 to consume resources, leading to a denial of  service. (CVE-2024-28182) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   libnghttp2-14                   1.59.0-1ubuntu0.1   nghttp2                         1.59.0-1ubuntu0.1   nghttp2-client                  1.59.0-1ubuntu0.1   nghttp2-proxy                   1.59.0-1ubuntu0.1   nghttp2-server                  1.59.0-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6754-2   https://ubuntu.com/security/notices/USN-6754-1   CVE-2024-28182 Package Information:   https://launchpad.net/ubuntu/+source/nghttp2/1.59.0-1ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From fabian.toepfer at canonical.com Tue May 7 16:54:17 2024 From: fabian.toepfer at canonical.com (Fabian Toepfer) Date: Tue, 7 May 2024 18:54:17 +0200 Subject: [USN-6764-1] libde265 vulnerability Message-ID: <8eadf132-9e00-4255-acfd-e2017b15d858@canonical.com> ========================================================================== Ubuntu Security Notice USN-6764-1 May 07, 2024 libde265 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: libde265 could be made to crash if it opened a specially crafted file. Software Description: - libde265: Open H.265 video codec implementation Details: It was discovered that libde265 could be made to allocate memory that exceeds the maximum supported size. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10   libde265-0                      1.0.12-2ubuntu0.2 Ubuntu 22.04 LTS   libde265-0                      1.0.8-1ubuntu0.3+esm1                                   Available with Ubuntu Pro Ubuntu 20.04 LTS   libde265-0                      1.0.4-1ubuntu0.4+esm1                                   Available with Ubuntu Pro Ubuntu 18.04 LTS   libde265-0                      1.0.2-2ubuntu0.18.04.1~esm5                                   Available with Ubuntu Pro Ubuntu 16.04 LTS   libde265-0                      1.0.2-2ubuntu0.16.04.1~esm5                                   Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6764-1   CVE-2023-51792 Package Information:   https://launchpad.net/ubuntu/+source/libde265/1.0.12-2ubuntu0.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 7 19:58:08 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 7 May 2024 16:58:08 -0300 Subject: [USN-6766-1] Linux kernel vulnerabilities Message-ID: <0db0eca3-5447-4581-a070-4c8a604b7495@canonical.com> ========================================================================== Ubuntu Security Notice USN-6766-1 May 07, 2024 linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gke: Linux kernel for Google Container Engine (GKE) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-nvidia: Linux kernel for NVIDIA systems - linux-oracle: Linux kernel for Oracle Cloud systems - linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems - linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems - linux-ibm-5.15: Linux kernel for IBM cloud systems - linux-lowlatency-hwe-5.15: Linux low latency kernel - linux-oracle-5.15: Linux kernel for Oracle Cloud systems Details: It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-1151) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - PowerPC architecture; - S390 architecture; - Core kernel; - Block layer subsystem; - Android drivers; - Power management core; - Bus devices; - Hardware random number generator core; - Cryptographic API; - Device frequency; - DMA engine subsystem; - ARM SCMI message protocol; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - I2C subsystem; - IIO ADC drivers; - IIO subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Media drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - SCSI drivers; - DesignWare USB3 driver; - BTRFS file system; - Ceph distributed file system; - Ext4 file system; - F2FS file system; - JFS file system; - NILFS2 file system; - NTFS3 file system; - Pstore file system; - SMB network file system; - Memory management; - CAN network layer; - Networking core; - HSR network protocol; - IPv4 networking; - IPv6 networking; - Logical Link layer; - Multipath TCP; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Unix domain sockets; - Realtek audio codecs; (CVE-2023-52594, CVE-2023-52601, CVE-2024-26826, CVE-2023-52622, CVE-2024-26665, CVE-2023-52493, CVE-2023-52633, CVE-2024-26684, CVE-2024-26663, CVE-2023-52618, CVE-2023-52588, CVE-2023-52637, CVE-2024-26825, CVE-2023-52606, CVE-2024-26594, CVE-2024-26625, CVE-2024-26720, CVE-2024-26614, CVE-2023-52627, CVE-2023-52602, CVE-2024-26673, CVE-2024-26685, CVE-2023-52638, CVE-2023-52498, CVE-2023-52619, CVE-2024-26910, CVE-2024-26689, CVE-2023-52583, CVE-2024-26676, CVE-2024-26671, CVE-2024-26704, CVE-2024-26608, CVE-2024-26610, CVE-2024-26592, CVE-2023-52599, CVE-2023-52595, CVE-2024-26660, CVE-2023-52617, CVE-2024-26645, CVE-2023-52486, CVE-2023-52631, CVE-2023-52607, CVE-2023-52608, CVE-2024-26722, CVE-2024-26615, CVE-2023-52615, CVE-2024-26636, CVE-2023-52642, CVE-2023-52587, CVE-2024-26712, CVE-2024-26675, CVE-2023-52614, CVE-2024-26606, CVE-2024-26916, CVE-2024-26600, CVE-2024-26679, CVE-2024-26829, CVE-2024-26641, CVE-2023-52623, CVE-2024-26627, CVE-2024-26696, CVE-2024-26640, CVE-2024-26635, CVE-2023-52491, CVE-2024-26664, CVE-2024-26602, CVE-2023-52604, CVE-2024-26717, CVE-2023-52643, CVE-2024-26593, CVE-2023-52598, CVE-2024-26668, CVE-2023-52435, CVE-2023-52597, CVE-2024-26715, CVE-2024-26707, CVE-2023-52635, CVE-2024-26695, CVE-2024-26698, CVE-2023-52494, CVE-2024-26920, CVE-2024-26808, CVE-2023-52616, CVE-2023-52492, CVE-2024-26702, CVE-2024-26644, CVE-2023-52489, CVE-2024-26697) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1044-gkeop 5.15.0-1044.51 linux-image-5.15.0-1054-ibm 5.15.0-1054.57 linux-image-5.15.0-1054-nvidia 5.15.0-1054.55 linux-image-5.15.0-1054-nvidia-lowlatency 5.15.0-1054.55 linux-image-5.15.0-1058-gke 5.15.0-1058.63 linux-image-5.15.0-1058-kvm 5.15.0-1058.63 linux-image-5.15.0-1059-gcp 5.15.0-1059.67 linux-image-5.15.0-1059-oracle 5.15.0-1059.65 linux-image-5.15.0-106-generic 5.15.0-106.116 linux-image-5.15.0-106-generic-64k 5.15.0-106.116 linux-image-5.15.0-106-generic-lpae 5.15.0-106.116 linux-image-5.15.0-106-lowlatency 5.15.0-106.116 linux-image-5.15.0-106-lowlatency-64k 5.15.0-106.116 linux-image-5.15.0-1063-azure 5.15.0-1063.72 linux-image-5.15.0-1063-azure-fde 5.15.0-1063.72.1 linux-image-azure-fde-lts-22.04 5.15.0.1063.72.41 linux-image-azure-lts-22.04 5.15.0.1063.61 linux-image-gcp-lts-22.04 5.15.0.1059.55 linux-image-generic 5.15.0.106.106 linux-image-generic-64k 5.15.0.106.106 linux-image-generic-lpae 5.15.0.106.106 linux-image-gke 5.15.0.1058.57 linux-image-gke-5.15 5.15.0.1058.57 linux-image-gkeop 5.15.0.1044.43 linux-image-gkeop-5.15 5.15.0.1044.43 linux-image-ibm 5.15.0.1054.50 linux-image-kvm 5.15.0.1058.54 linux-image-lowlatency 5.15.0.106.101 linux-image-lowlatency-64k 5.15.0.106.101 linux-image-nvidia 5.15.0.1054.54 linux-image-nvidia-lowlatency 5.15.0.1054.54 linux-image-oracle-lts-22.04 5.15.0.1059.55 linux-image-virtual 5.15.0.106.106 Ubuntu 20.04 LTS linux-image-5.15.0-1044-gkeop 5.15.0-1044.51~20.04.1 linux-image-5.15.0-1054-ibm 5.15.0-1054.57~20.04.1 linux-image-5.15.0-1059-gcp 5.15.0-1059.67~20.04.1 linux-image-5.15.0-1059-oracle 5.15.0-1059.65~20.04.1 linux-image-5.15.0-106-lowlatency 5.15.0-106.116~20.04.1 linux-image-5.15.0-106-lowlatency-64k 5.15.0-106.116~20.04.1 linux-image-5.15.0-1063-azure 5.15.0-1063.72~20.04.1 linux-image-5.15.0-1063-azure-fde 5.15.0-1063.72~20.04.1.1 linux-image-azure 5.15.0.1063.72~20.04.1 linux-image-azure-cvm 5.15.0.1063.72~20.04.1 linux-image-azure-fde 5.15.0.1063.72~20.04.1.41 linux-image-gcp 5.15.0.1059.67~20.04.1 linux-image-gkeop-5.15 5.15.0.1044.51~20.04.1 linux-image-ibm 5.15.0.1054.57~20.04.1 linux-image-lowlatency-64k-hwe-20.04 5.15.0.106.116~20.04.1 linux-image-lowlatency-hwe-20.04 5.15.0.106.116~20.04.1 linux-image-oracle 5.15.0.1059.65~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6766-1 CVE-2023-52435, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52498, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638, CVE-2023-52642, CVE-2023-52643, CVE-2024-1151, CVE-2024-2201, CVE-2024-23849, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26625, CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26689, CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26808, CVE-2024-26825, CVE-2024-26826, CVE-2024-26829, CVE-2024-26910, CVE-2024-26916, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux/5.15.0-106.116 https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1063.72 https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1063.72.1 https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1059.67 https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1058.63 https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1044.51 https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1054.57 https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1058.63 https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-106.116 https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1054.55 https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1059.65 https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1063.72~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1063.72~20.04.1.1 https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1059.67~20.04.1 https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1044.51~20.04.1 https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1054.57~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-106.116~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1059.65~20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 7 19:58:20 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 7 May 2024 16:58:20 -0300 Subject: [USN-6767-1] Linux kernel vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6767-1 May 07, 2024 linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-iot: Linux kernel for IoT platforms - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors - linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems - linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe-5.4: Linux hardware enablement (HWE) kernel - linux-ibm-5.4: Linux kernel for IBM cloud systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Details: Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - PowerPC architecture; - S390 architecture; - Block layer subsystem; - Android drivers; - Hardware random number generator core; - GPU drivers; - Hardware monitoring drivers; - I2C subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Pstore file system; - Core kernel; - Memory management; - CAN network layer; - Networking core; - IPv4 networking; - Logical Link layer; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Realtek audio codecs; (CVE-2024-26696, CVE-2023-52583, CVE-2024-26720, CVE-2023-52615, CVE-2023-52599, CVE-2023-52587, CVE-2024-26635, CVE-2024-26704, CVE-2024-26625, CVE-2024-26825, CVE-2023-52622, CVE-2023-52435, CVE-2023-52617, CVE-2023-52598, CVE-2024-26645, CVE-2023-52619, CVE-2024-26593, CVE-2024-26685, CVE-2023-52602, CVE-2023-52486, CVE-2024-26697, CVE-2024-26675, CVE-2024-26600, CVE-2023-52604, CVE-2024-26664, CVE-2024-26606, CVE-2023-52594, CVE-2024-26671, CVE-2024-26598, CVE-2024-26673, CVE-2024-26920, CVE-2024-26722, CVE-2023-52601, CVE-2024-26602, CVE-2023-52637, CVE-2023-52623, CVE-2024-26702, CVE-2023-52597, CVE-2024-26684, CVE-2023-52606, CVE-2024-26679, CVE-2024-26663, CVE-2024-26910, CVE-2024-26615, CVE-2023-52595, CVE-2023-52607, CVE-2024-26636) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1036-iot 5.4.0-1036.37 linux-image-5.4.0-1043-xilinx-zynqmp 5.4.0-1043.47 linux-image-5.4.0-1071-ibm 5.4.0-1071.76 linux-image-5.4.0-1091-gkeop 5.4.0-1091.95 linux-image-5.4.0-1108-raspi 5.4.0-1108.120 linux-image-5.4.0-1112-kvm 5.4.0-1112.119 linux-image-5.4.0-1123-oracle 5.4.0-1123.132 linux-image-5.4.0-1124-aws 5.4.0-1124.134 linux-image-5.4.0-1128-gcp 5.4.0-1128.137 linux-image-5.4.0-1129-azure 5.4.0-1129.136 linux-image-5.4.0-181-generic 5.4.0-181.201 linux-image-5.4.0-181-generic-lpae 5.4.0-181.201 linux-image-5.4.0-181-lowlatency 5.4.0-181.201 linux-image-aws-lts-20.04 5.4.0.1124.121 linux-image-azure-lts-20.04 5.4.0.1129.123 linux-image-gcp-lts-20.04 5.4.0.1128.130 linux-image-generic 5.4.0.181.179 linux-image-generic-lpae 5.4.0.181.179 linux-image-gkeop 5.4.0.1091.89 linux-image-gkeop-5.4 5.4.0.1091.89 linux-image-ibm-lts-20.04 5.4.0.1071.100 linux-image-kvm 5.4.0.1112.108 linux-image-lowlatency 5.4.0.181.179 linux-image-oem 5.4.0.181.179 linux-image-oem-osp1 5.4.0.181.179 linux-image-oracle-lts-20.04 5.4.0.1123.116 linux-image-raspi 5.4.0.1108.138 linux-image-raspi2 5.4.0.1108.138 linux-image-virtual 5.4.0.181.179 linux-image-xilinx-zynqmp 5.4.0.1043.43 Ubuntu 18.04 LTS linux-image-5.4.0-1071-ibm 5.4.0-1071.76~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1108-raspi 5.4.0-1108.120~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1123-oracle 5.4.0-1123.132~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1124-aws 5.4.0-1124.134~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1128-gcp 5.4.0-1128.137~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1129-azure 5.4.0-1129.136~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-181-generic 5.4.0-181.201~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-181-lowlatency 5.4.0-181.201~18.04.1 Available with Ubuntu Pro linux-image-aws 5.4.0.1124.134~18.04.1 Available with Ubuntu Pro linux-image-azure 5.4.0.1129.136~18.04.1 Available with Ubuntu Pro linux-image-gcp 5.4.0.1128.137~18.04.1 Available with Ubuntu Pro linux-image-generic-hwe-18.04 5.4.0.181.201~18.04.1 Available with Ubuntu Pro linux-image-ibm 5.4.0.1071.76~18.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-18.04 5.4.0.181.201~18.04.1 Available with Ubuntu Pro linux-image-oem 5.4.0.181.201~18.04.1 Available with Ubuntu Pro linux-image-oem-osp1 5.4.0.181.201~18.04.1 Available with Ubuntu Pro linux-image-oracle 5.4.0.1123.132~18.04.1 Available with Ubuntu Pro linux-image-raspi-hwe-18.04 5.4.0.1108.120~18.04.1 Available with Ubuntu Pro linux-image-snapdragon-hwe-18.04 5.4.0.181.201~18.04.1 Available with Ubuntu Pro linux-image-virtual-hwe-18.04 5.4.0.181.201~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6767-1 CVE-2023-52435, CVE-2023-52486, CVE-2023-52583, CVE-2023-52587, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52615, CVE-2023-52617, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52637, CVE-2024-23849, CVE-2024-26593, CVE-2024-26598, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26615, CVE-2024-26625, CVE-2024-26635, CVE-2024-26636, CVE-2024-26645, CVE-2024-26663, CVE-2024-26664, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26696, CVE-2024-26697, CVE-2024-26702, CVE-2024-26704, CVE-2024-26720, CVE-2024-26722, CVE-2024-26825, CVE-2024-26910, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux/5.4.0-181.201 https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1124.134 https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1129.136 https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1128.137 https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1091.95 https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1071.76 https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1036.37 https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1112.119 https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1123.132 https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1108.120 https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1043.47 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Thu May 9 14:18:02 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 9 May 2024 10:18:02 -0400 Subject: [USN-6768-1] GLib vulnerability Message-ID: <836ea151-ef95-4bca-a8f4-373cfd8c1a35@canonical.com> ========================================================================== Ubuntu Security Notice USN-6768-1 May 09, 2024 glib2.0 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: GLib could be made to accept spoofed D-Bus signals. Software Description: - glib2.0: GLib library of C routines Details: Alicia Boya García discovered that GLib incorrectly handled signal subscriptions. A local attacker could use this issue to spoof D-Bus signals resulting in a variety of impacts including possible privilege escalation. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libglib2.0-0t64 2.80.0-6ubuntu3.1 libglib2.0-bin 2.80.0-6ubuntu3.1 Ubuntu 23.10 libglib2.0-0 2.78.0-2ubuntu0.1 libglib2.0-bin 2.78.0-2ubuntu0.1 Ubuntu 22.04 LTS libglib2.0-0 2.72.4-0ubuntu2.3 libglib2.0-bin 2.72.4-0ubuntu2.3 Ubuntu 20.04 LTS libglib2.0-0 2.64.6-1~ubuntu20.04.7 libglib2.0-bin 2.64.6-1~ubuntu20.04.7 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6768-1 CVE-2024-34397 Package Information: https://launchpad.net/ubuntu/+source/glib2.0/2.80.0-6ubuntu3.1 https://launchpad.net/ubuntu/+source/glib2.0/2.78.0-2ubuntu0.1 https://launchpad.net/ubuntu/+source/glib2.0/2.72.4-0ubuntu2.3 https://launchpad.net/ubuntu/+source/glib2.0/2.64.6-1~ubuntu20.04.7 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From ian.constantin at canonical.com Thu May 9 19:46:03 2024 From: ian.constantin at canonical.com (Ian Constantin) Date: Thu, 9 May 2024 22:46:03 +0300 Subject: [USN-6769-1] Spreadsheet::ParseXLSX vulnerabilities Message-ID: <5eb2e883-e685-476f-8040-04f23a7e01a8@canonical.com> ========================================================================== Ubuntu Security Notice USN-6769-1 May 09, 2024 libspreadsheet-parsexlsx-perl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in libspreadsheet-parsexlsx-perl. Software Description: - libspreadsheet-parsexlsx-perl: Perl module to parse XLSX files Details: Le Dinh Hai discovered that Spreadsheet::ParseXLSX did not properly manage memory during cell merge operations. An attacker could possibly use this issue to consume large amounts of memory, resulting in a denial of service condition. (CVE-2024-22368) An Pham discovered that Spreadsheet::ParseXLSX allowed the processing of external entities in a default configuration. An attacker could possibly use this vulnerability to execute an XML External Entity (XXE) injection attack. (CVE-2024-23525) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10   libspreadsheet-parsexlsx-perl   0.27-3+deb12u2build0.23.10.1 Ubuntu 22.04 LTS   libspreadsheet-parsexlsx-perl   0.27-2.1+deb11u2build0.22.04.1 Ubuntu 20.04 LTS   libspreadsheet-parsexlsx-perl   0.27-2+deb10u1build0.20.04.1 In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6769-1   CVE-2024-22368, CVE-2024-23525 Package Information: https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-3+deb12u2build0.23.10.1 https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2build0.22.04.1 https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-2+deb10u1build0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From ian.constantin at canonical.com Thu May 9 19:48:02 2024 From: ian.constantin at canonical.com (Ian Constantin) Date: Thu, 9 May 2024 22:48:02 +0300 Subject: [USN-6770-1] Fossil regression Message-ID: ========================================================================== Ubuntu Security Notice USN-6770-1 May 09, 2024 fossil regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Fossil regression Software Description: - fossil: DSCM with built-in wiki, http interface and server, tickets datab Details: USN-6729-1 fixed vulnerabilities in Apache HTTP Server. The update lead to the discovery of a regression in Fossil with regards to the handling of POST requests that do not have a Content-Length field set. This update fixes the problem. We apologize for the inconvenience. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   fossil                          1:2.23-1ubuntu0.1 Ubuntu 23.10   fossil                          1:2.22-1ubuntu0.1 Ubuntu 22.04 LTS   fossil                          1:2.18-1ubuntu0.1 Ubuntu 20.04 LTS   fossil                          1:2.10-1ubuntu0.1 Ubuntu 18.04 LTS   fossil                          1:2.5-1ubuntu0.1~esm1                                   Available with Ubuntu Pro Ubuntu 16.04 LTS   fossil                          1:1.33-3ubuntu0.1~esm1                                   Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6770-1   https://launchpad.net/bugs/2064509 Package Information:   https://launchpad.net/ubuntu/+source/fossil/1:2.23-1ubuntu0.1   https://launchpad.net/ubuntu/+source/fossil/1:2.22-1ubuntu0.1   https://launchpad.net/ubuntu/+source/fossil/1:2.18-1ubuntu0.1   https://launchpad.net/ubuntu/+source/fossil/1:2.10-1ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From leo.barbosa at canonical.com Mon May 13 16:00:41 2024 From: leo.barbosa at canonical.com (Leonidas S. Barbosa) Date: Mon, 13 May 2024 13:00:41 -0300 Subject: [USN-6771-1] SQL parse vulnerability Message-ID: <20240513160041.GA348453@tpl41n> ========================================================================== Ubuntu Security Notice USN-6771-1 May 13, 2024 sqlparse vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: SQL parse could be made to denial of service if it received a specially crafted input. Software Description: - sqlparse: documentation for non-validating SQL parser in Python Details: It was discovered that SQL parse incorrectly handled certain nested lists. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-sqlparse 0.4.4-1ubuntu0.1 Ubuntu 23.10 python3-sqlparse 0.4.2-1ubuntu1.1 Ubuntu 22.04 LTS python3-sqlparse 0.4.2-1ubuntu0.22.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6771-1 CVE-2024-4340 Package Information: https://launchpad.net/ubuntu/+source/sqlparse/0.4.4-1ubuntu0.1 https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu1.1 https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From marc.deslauriers at canonical.com Tue May 14 12:28:07 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 14 May 2024 14:28:07 +0200 Subject: [USN-6772-1] strongSwan vulnerability Message-ID: <8bce1b9c-a263-4ae0-a942-fef865a4dcff@canonical.com> ========================================================================== Ubuntu Security Notice USN-6772-1 May 14, 2024 strongswan vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Fraudulent security certificates could allow access controls to be bypassed. Software Description: - strongswan: IPsec VPN solution Details: Jan Schermer discovered that strongSwan incorrectly validated client certificates in certain configurations. A remote attacker could possibly use this issue to bypass access controls. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libstrongswan 5.9.5-2ubuntu2.3 strongswan 5.9.5-2ubuntu2.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6772-1 CVE-2022-4967 Package Information: https://launchpad.net/ubuntu/+source/strongswan/5.9.5-2ubuntu2.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 14 14:41:23 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 14 May 2024 16:41:23 +0200 Subject: [USN-6767-2] Linux kernel (BlueField) vulnerabilities Message-ID: <3baa3dd3-d36d-49fe-8c08-d6a7595d3499@canonical.com> ========================================================================== Ubuntu Security Notice USN-6767-2 May 14, 2024 linux-bluefield vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-bluefield: Linux kernel for NVIDIA BlueField platforms Details: Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - PowerPC architecture; - S390 architecture; - Block layer subsystem; - Android drivers; - Hardware random number generator core; - GPU drivers; - Hardware monitoring drivers; - I2C subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Pstore file system; - Core kernel; - Memory management; - CAN network layer; - Networking core; - IPv4 networking; - Logical Link layer; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Realtek audio codecs; (CVE-2024-26696, CVE-2023-52583, CVE-2024-26720, CVE-2023-52615, CVE-2023-52599, CVE-2023-52587, CVE-2024-26635, CVE-2024-26704, CVE-2024-26625, CVE-2024-26825, CVE-2023-52622, CVE-2023-52435, CVE-2023-52617, CVE-2023-52598, CVE-2024-26645, CVE-2023-52619, CVE-2024-26593, CVE-2024-26685, CVE-2023-52602, CVE-2023-52486, CVE-2024-26697, CVE-2024-26675, CVE-2024-26600, CVE-2023-52604, CVE-2024-26664, CVE-2024-26606, CVE-2023-52594, CVE-2024-26671, CVE-2024-26598, CVE-2024-26673, CVE-2024-26920, CVE-2024-26722, CVE-2023-52601, CVE-2024-26602, CVE-2023-52637, CVE-2023-52623, CVE-2024-26702, CVE-2023-52597, CVE-2024-26684, CVE-2023-52606, CVE-2024-26679, CVE-2024-26663, CVE-2024-26910, CVE-2024-26615, CVE-2023-52595, CVE-2023-52607, CVE-2024-26636) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1084-bluefield 5.4.0-1084.91 linux-image-bluefield 5.4.0.1084.80 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6767-2 https://ubuntu.com/security/notices/USN-6767-1 CVE-2023-52435, CVE-2023-52486, CVE-2023-52583, CVE-2023-52587, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52615, CVE-2023-52617, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52637, CVE-2024-23849, CVE-2024-26593, CVE-2024-26598, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26615, CVE-2024-26625, CVE-2024-26635, CVE-2024-26636, CVE-2024-26645, CVE-2024-26663, CVE-2024-26664, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26696, CVE-2024-26697, CVE-2024-26702, CVE-2024-26704, CVE-2024-26720, CVE-2024-26722, CVE-2024-26825, CVE-2024-26910, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1084.91 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Wed May 15 15:32:53 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Wed, 15 May 2024 17:32:53 +0200 Subject: [USN-6766-2] Linux kernel vulnerabilities Message-ID: <1a85869c-c415-4c45-a2c2-6dbc87e19c49@canonical.com> ========================================================================== Ubuntu Security Notice USN-6766-2 May 15, 2024 linux-hwe-5.15, linux-raspi vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-raspi: Linux kernel for Raspberry Pi systems - linux-hwe-5.15: Linux hardware enablement (HWE) kernel Details: It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-1151) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - PowerPC architecture; - S390 architecture; - Core kernel; - Block layer subsystem; - Android drivers; - Power management core; - Bus devices; - Hardware random number generator core; - Cryptographic API; - Device frequency; - DMA engine subsystem; - ARM SCMI message protocol; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - I2C subsystem; - IIO ADC drivers; - IIO subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Media drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - SCSI drivers; - DesignWare USB3 driver; - BTRFS file system; - Ceph distributed file system; - Ext4 file system; - F2FS file system; - JFS file system; - NILFS2 file system; - NTFS3 file system; - Pstore file system; - SMB network file system; - Memory management; - CAN network layer; - Networking core; - HSR network protocol; - IPv4 networking; - IPv6 networking; - Logical Link layer; - Multipath TCP; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Unix domain sockets; - Realtek audio codecs; (CVE-2023-52594, CVE-2023-52601, CVE-2024-26826, CVE-2023-52622, CVE-2024-26665, CVE-2023-52493, CVE-2023-52633, CVE-2024-26684, CVE-2024-26663, CVE-2023-52618, CVE-2023-52588, CVE-2023-52637, CVE-2024-26825, CVE-2023-52606, CVE-2024-26594, CVE-2024-26625, CVE-2024-26720, CVE-2024-26614, CVE-2023-52627, CVE-2023-52602, CVE-2024-26673, CVE-2024-26685, CVE-2023-52638, CVE-2023-52498, CVE-2023-52619, CVE-2024-26910, CVE-2024-26689, CVE-2023-52583, CVE-2024-26676, CVE-2024-26671, CVE-2024-26704, CVE-2024-26608, CVE-2024-26610, CVE-2024-26592, CVE-2023-52599, CVE-2023-52595, CVE-2024-26660, CVE-2023-52617, CVE-2024-26645, CVE-2023-52486, CVE-2023-52631, CVE-2023-52607, CVE-2023-52608, CVE-2024-26722, CVE-2024-26615, CVE-2023-52615, CVE-2024-26636, CVE-2023-52642, CVE-2023-52587, CVE-2024-26712, CVE-2024-26675, CVE-2023-52614, CVE-2024-26606, CVE-2024-26916, CVE-2024-26600, CVE-2024-26679, CVE-2024-26829, CVE-2024-26641, CVE-2023-52623, CVE-2024-26627, CVE-2024-26696, CVE-2024-26640, CVE-2024-26635, CVE-2023-52491, CVE-2024-26664, CVE-2024-26602, CVE-2023-52604, CVE-2024-26717, CVE-2023-52643, CVE-2024-26593, CVE-2023-52598, CVE-2024-26668, CVE-2023-52435, CVE-2023-52597, CVE-2024-26715, CVE-2024-26707, CVE-2023-52635, CVE-2024-26695, CVE-2024-26698, CVE-2023-52494, CVE-2024-26920, CVE-2024-26808, CVE-2023-52616, CVE-2023-52492, CVE-2024-26702, CVE-2024-26644, CVE-2023-52489, CVE-2024-26697) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1054-raspi 5.15.0-1054.57 linux-image-raspi 5.15.0.1054.52 linux-image-raspi-nolpae 5.15.0.1054.52 Ubuntu 20.04 LTS linux-image-5.15.0-106-generic 5.15.0-106.116~20.04.1 linux-image-5.15.0-106-generic-64k 5.15.0-106.116~20.04.1 linux-image-5.15.0-106-generic-lpae 5.15.0-106.116~20.04.1 linux-image-generic-64k-hwe-20.04 5.15.0.106.116~20.04.1 linux-image-generic-hwe-20.04 5.15.0.106.116~20.04.1 linux-image-generic-lpae-hwe-20.04 5.15.0.106.116~20.04.1 linux-image-oem-20.04 5.15.0.106.116~20.04.1 linux-image-oem-20.04b 5.15.0.106.116~20.04.1 linux-image-oem-20.04c 5.15.0.106.116~20.04.1 linux-image-oem-20.04d 5.15.0.106.116~20.04.1 linux-image-virtual-hwe-20.04 5.15.0.106.116~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6766-2 https://ubuntu.com/security/notices/USN-6766-1 CVE-2023-52435, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52498, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638, CVE-2023-52642, CVE-2023-52643, CVE-2024-1151, CVE-2024-2201, CVE-2024-23849, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26625, CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26689, CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26808, CVE-2024-26825, CVE-2024-26826, CVE-2024-26829, CVE-2024-26910, CVE-2024-26916, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1054.57 https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-106.116~20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From ian.constantin at canonical.com Thu May 16 13:58:27 2024 From: ian.constantin at canonical.com (Ian Constantin) Date: Thu, 16 May 2024 16:58:27 +0300 Subject: [USN-6773-1] .NET vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6773-1 May 16, 2024 dotnet7, dotnet8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in .NET. Software Description: - dotnet8: .NET CLI tools and runtime - dotnet7: .NET CLI tools and runtime Details: It was discovered that .NET did not properly handle memory in it's Double Parse routine. An attacker could possibly use this issue to achieve remote code execution. (CVE-2024-30045) It was discovered that .NET did not properly handle the usage of a shared resource. An attacker could possibly use this to cause a dead-lock condition, resulting in a denial of service. (CVE-2024-30046) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   aspnetcore-runtime-8.0          8.0.5-0ubuntu1~24.04.1   dotnet-host-8.0                 8.0.5-0ubuntu1~24.04.1   dotnet-hostfxr-8.0              8.0.5-0ubuntu1~24.04.1   dotnet-runtime-8.0              8.0.5-0ubuntu1~24.04.1   dotnet-sdk-8.0                  8.0.105-0ubuntu1~24.04.1   dotnet8                         8.0.105-8.0.5-0ubuntu1~24.04.1 Ubuntu 23.10   aspnetcore-runtime-7.0          7.0.119-0ubuntu1~23.10.1   aspnetcore-runtime-8.0          8.0.5-0ubuntu1~23.10.1   dotnet-host-7.0                 7.0.119-0ubuntu1~23.10.1   dotnet-host-8.0                 8.0.5-0ubuntu1~23.10.1   dotnet-hostfxr-7.0              7.0.119-0ubuntu1~23.10.1   dotnet-hostfxr-8.0              8.0.5-0ubuntu1~23.10.1   dotnet-runtime-7.0              7.0.119-0ubuntu1~23.10.1   dotnet-runtime-8.0              8.0.5-0ubuntu1~23.10.1   dotnet-sdk-7.0                  7.0.119-0ubuntu1~23.10.1   dotnet-sdk-8.0                  8.0.105-0ubuntu1~23.10.1   dotnet7                         7.0.119-0ubuntu1~23.10.1   dotnet8                         8.0.105-8.0.5-0ubuntu1~23.10.1 Ubuntu 22.04 LTS   aspnetcore-runtime-7.0          7.0.119-0ubuntu1~22.04.1   aspnetcore-runtime-8.0          8.0.5-0ubuntu1~22.04.1   dotnet-host-7.0                 7.0.119-0ubuntu1~22.04.1   dotnet-host-8.0                 8.0.5-0ubuntu1~22.04.1   dotnet-hostfxr-7.0              7.0.119-0ubuntu1~22.04.1   dotnet-hostfxr-8.0              8.0.5-0ubuntu1~22.04.1   dotnet-runtime-7.0              7.0.119-0ubuntu1~22.04.1   dotnet-runtime-8.0              8.0.5-0ubuntu1~22.04.1   dotnet-sdk-7.0                  7.0.119-0ubuntu1~22.04.1   dotnet-sdk-8.0                  8.0.105-0ubuntu1~22.04.1   dotnet7                         7.0.119-0ubuntu1~22.04.1   dotnet8                         8.0.105-8.0.5-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6773-1   CVE-2024-30045, CVE-2024-30046 Package Information: https://launchpad.net/ubuntu/+source/dotnet8/8.0.105-8.0.5-0ubuntu1~24.04.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.119-0ubuntu1~23.10.1 https://launchpad.net/ubuntu/+source/dotnet8/8.0.105-8.0.5-0ubuntu1~23.10.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.119-0ubuntu1~22.04.1 https://launchpad.net/ubuntu/+source/dotnet8/8.0.105-8.0.5-0ubuntu1~22.04.1 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 16 16:01:39 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 16 May 2024 18:01:39 +0200 Subject: [USN-6774-1] Linux kernel vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6774-1 May 16, 2024 linux, linux-aws, linux-aws-6.5, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-signed, linux-signed-aws, linux-signed-aws-6.5, linux-starfive, linux-starfive-6.5 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-laptop: Linux kernel for Lenovo X13s ARM laptops - linux-lowlatency: Linux low latency kernel - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-starfive: Linux kernel for StarFive processors - linux-aws-6.5: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-6.5: Linux kernel for Microsoft Azure cloud systems - linux-gcp-6.5: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe-6.5: Linux hardware enablement (HWE) kernel - linux-lowlatency-hwe-6.5: Linux low latency kernel - linux-nvidia-6.5: Linux kernel for NVIDIA systems - linux-oem-6.5: Linux kernel for OEM systems - linux-oracle-6.5: Linux kernel for Oracle Cloud systems - linux-starfive-6.5: Linux kernel for StarFive processors Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Hardware random number generator core; - Ext4 file system; - JFS file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - Logical Link layer; - Netlink; - Tomoyo security module; (CVE-2024-26704, CVE-2023-52615, CVE-2024-26805, CVE-2023-52604, CVE-2024-26614, CVE-2023-52602, CVE-2024-26635, CVE-2024-26622, CVE-2023-52601, CVE-2024-26801) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 linux-image-6.5.0-1014-starfive 6.5.0-1014.15 linux-image-6.5.0-1016-laptop 6.5.0-1016.19 linux-image-6.5.0-1017-raspi 6.5.0-1017.20 linux-image-6.5.0-1020-aws 6.5.0-1020.20 linux-image-6.5.0-1020-gcp 6.5.0-1020.20 linux-image-6.5.0-1021-azure 6.5.0-1021.22 linux-image-6.5.0-1021-azure-fde 6.5.0-1021.22 linux-image-6.5.0-1023-oracle 6.5.0-1023.23 linux-image-6.5.0-1023-oracle-64k 6.5.0-1023.23 linux-image-6.5.0-35-generic 6.5.0-35.35 linux-image-6.5.0-35-generic-64k 6.5.0-35.35 linux-image-6.5.0-35-lowlatency 6.5.0-35.35.1 linux-image-6.5.0-35-lowlatency-64k 6.5.0-35.35.1 linux-image-aws 6.5.0.1020.20 linux-image-azure 6.5.0.1021.25 linux-image-azure-fde 6.5.0.1021.25 linux-image-gcp 6.5.0.1020.20 linux-image-generic 6.5.0.35.35 linux-image-generic-64k 6.5.0.35.35 linux-image-generic-lpae 6.5.0.35.35 linux-image-kvm 6.5.0.35.35 linux-image-laptop-23.10 6.5.0.1016.19 linux-image-lowlatency 6.5.0.35.35.1 linux-image-lowlatency-64k 6.5.0.35.35.1 linux-image-oracle 6.5.0.1023.25 linux-image-oracle-64k 6.5.0.1023.25 linux-image-raspi 6.5.0.1017.18 linux-image-raspi-nolpae 6.5.0.1017.18 linux-image-starfive 6.5.0.1014.16 linux-image-virtual 6.5.0.35.35 Ubuntu 22.04 LTS linux-image-6.5.0-1014-starfive 6.5.0-1014.15~22.04.1 linux-image-6.5.0-1019-nvidia 6.5.0-1019.19 linux-image-6.5.0-1019-nvidia-64k 6.5.0-1019.19 linux-image-6.5.0-1020-aws 6.5.0-1020.20~22.04.1 linux-image-6.5.0-1020-gcp 6.5.0-1020.20~22.04.1 linux-image-6.5.0-1021-azure 6.5.0-1021.22~22.04.1 linux-image-6.5.0-1021-azure-fde 6.5.0-1021.22~22.04.1 linux-image-6.5.0-1023-oem 6.5.0-1023.24 linux-image-6.5.0-1023-oracle 6.5.0-1023.23~22.04.1 linux-image-6.5.0-1023-oracle-64k 6.5.0-1023.23~22.04.1 linux-image-6.5.0-35-generic 6.5.0-35.35~22.04.1 linux-image-6.5.0-35-generic-64k 6.5.0-35.35~22.04.1 linux-image-6.5.0-35-lowlatency 6.5.0-35.35.1~22.04.1 linux-image-6.5.0-35-lowlatency-64k 6.5.0-35.35.1~22.04.1 linux-image-aws 6.5.0.1020.20~22.04.1 linux-image-azure 6.5.0.1021.22~22.04.1 linux-image-azure-fde 6.5.0.1021.22~22.04.1 linux-image-gcp 6.5.0.1020.20~22.04.1 linux-image-generic-64k-hwe-22.04 6.5.0.35.35~22.04.1 linux-image-generic-hwe-22.04 6.5.0.35.35~22.04.1 linux-image-lowlatency-64k-hwe-22.04 6.5.0.35.35.1~22.04.1 linux-image-lowlatency-hwe-22.04 6.5.0.35.35.1~22.04.1 linux-image-nvidia-6.5 6.5.0.1019.26 linux-image-nvidia-64k-6.5 6.5.0.1019.26 linux-image-nvidia-64k-hwe-22.04 6.5.0.1019.26 linux-image-nvidia-hwe-22.04 6.5.0.1019.26 linux-image-oem-22.04 6.5.0.1023.25 linux-image-oem-22.04a 6.5.0.1023.25 linux-image-oem-22.04b 6.5.0.1023.25 linux-image-oem-22.04c 6.5.0.1023.25 linux-image-oem-22.04d 6.5.0.1023.25 linux-image-oracle 6.5.0.1023.23~22.04.1 linux-image-oracle-64k 6.5.0.1023.23~22.04.1 linux-image-starfive 6.5.0.1014.15~22.04.1 linux-image-virtual-hwe-22.04 6.5.0.35.35~22.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6774-1 CVE-2023-47233, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52615, CVE-2024-2201, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26801, CVE-2024-26805 Package Information: https://launchpad.net/ubuntu/+source/linux/6.5.0-35.35 https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1020.20 https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1021.22 https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1020.20 https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1016.19 https://launchpad.net/ubuntu/+source/linux-lowlatency/6.5.0-35.35.1 https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1023.23 https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1017.20 https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1014.15 https://launchpad.net/ubuntu/+source/linux-aws-6.5/6.5.0-1020.20~22.04.1 https://launchpad.net/ubuntu/+source/linux-azure-6.5/6.5.0-1021.22~22.04.1 https://launchpad.net/ubuntu/+source/linux-gcp-6.5/6.5.0-1020.20~22.04.1 https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-35.35~22.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.5/6.5.0-35.35.1~22.04.1 https://launchpad.net/ubuntu/+source/linux-nvidia-6.5/6.5.0-1019.19 https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1023.24 https://launchpad.net/ubuntu/+source/linux-oracle-6.5/6.5.0-1023.23~22.04.1 https://launchpad.net/ubuntu/+source/linux-starfive-6.5/6.5.0-1014.15~22.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 16 16:01:55 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 16 May 2024 18:01:55 +0200 Subject: [USN-6775-1] Linux kernel vulnerabilities Message-ID: <1c3c8318-41e8-4740-855e-9ea98aae25aa@canonical.com> ========================================================================== Ubuntu Security Notice USN-6775-1 May 16, 2024 linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-nvidia: Linux kernel for NVIDIA systems - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems - linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems - linux-hwe-5.15: Linux hardware enablement (HWE) kernel - linux-ibm-5.15: Linux kernel for IBM cloud systems - linux-lowlatency-hwe-5.15: Linux low latency kernel Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MAC80211 subsystem; - Tomoyo security module; (CVE-2024-26622, CVE-2023-52530) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1045-gkeop 5.15.0-1045.52 linux-image-5.15.0-1055-ibm 5.15.0-1055.58 linux-image-5.15.0-1055-nvidia 5.15.0-1055.56 linux-image-5.15.0-1055-nvidia-lowlatency 5.15.0-1055.56 linux-image-5.15.0-1055-raspi 5.15.0-1055.58 linux-image-5.15.0-1057-intel-iotg 5.15.0-1057.63 linux-image-5.15.0-1059-kvm 5.15.0-1059.64 linux-image-5.15.0-1060-gcp 5.15.0-1060.68 linux-image-5.15.0-1060-oracle 5.15.0-1060.66 linux-image-5.15.0-1064-azure 5.15.0-1064.73 linux-image-5.15.0-1064-azure-fde 5.15.0-1064.73.1 linux-image-5.15.0-107-generic 5.15.0-107.117 linux-image-5.15.0-107-generic-64k 5.15.0-107.117 linux-image-5.15.0-107-generic-lpae 5.15.0-107.117 linux-image-5.15.0-107-lowlatency 5.15.0-107.117 linux-image-5.15.0-107-lowlatency-64k 5.15.0-107.117 linux-image-azure-fde-lts-22.04 5.15.0.1064.73.42 linux-image-azure-lts-22.04 5.15.0.1064.62 linux-image-gcp-lts-22.04 5.15.0.1060.56 linux-image-generic 5.15.0.107.107 linux-image-generic-64k 5.15.0.107.107 linux-image-generic-lpae 5.15.0.107.107 linux-image-gkeop 5.15.0.1045.44 linux-image-gkeop-5.15 5.15.0.1045.44 linux-image-ibm 5.15.0.1055.51 linux-image-intel-iotg 5.15.0.1057.57 linux-image-kvm 5.15.0.1059.55 linux-image-lowlatency 5.15.0.107.102 linux-image-lowlatency-64k 5.15.0.107.102 linux-image-nvidia 5.15.0.1055.55 linux-image-nvidia-lowlatency 5.15.0.1055.55 linux-image-oracle-lts-22.04 5.15.0.1060.56 linux-image-raspi 5.15.0.1055.53 linux-image-raspi-nolpae 5.15.0.1055.53 linux-image-virtual 5.15.0.107.107 Ubuntu 20.04 LTS linux-image-5.15.0-1045-gkeop 5.15.0-1045.52~20.04.1 linux-image-5.15.0-1055-ibm 5.15.0-1055.58~20.04.1 linux-image-5.15.0-1060-gcp 5.15.0-1060.68~20.04.1 linux-image-5.15.0-1064-azure 5.15.0-1064.73~20.04.1 linux-image-5.15.0-1064-azure-fde 5.15.0-1064.73~20.04.1.1 linux-image-5.15.0-107-generic 5.15.0-107.117~20.04.1 linux-image-5.15.0-107-generic-64k 5.15.0-107.117~20.04.1 linux-image-5.15.0-107-generic-lpae 5.15.0-107.117~20.04.1 linux-image-5.15.0-107-lowlatency 5.15.0-107.117~20.04.1 linux-image-5.15.0-107-lowlatency-64k 5.15.0-107.117~20.04.1 linux-image-azure 5.15.0.1064.73~20.04.1 linux-image-azure-cvm 5.15.0.1064.73~20.04.1 linux-image-azure-fde 5.15.0.1064.73~20.04.1.42 linux-image-gcp 5.15.0.1060.68~20.04.1 linux-image-generic-64k-hwe-20.04 5.15.0.107.117~20.04.1 linux-image-generic-hwe-20.04 5.15.0.107.117~20.04.1 linux-image-generic-lpae-hwe-20.04 5.15.0.107.117~20.04.1 linux-image-gkeop-5.15 5.15.0.1045.52~20.04.1 linux-image-ibm 5.15.0.1055.58~20.04.1 linux-image-lowlatency-64k-hwe-20.04 5.15.0.107.117~20.04.1 linux-image-lowlatency-hwe-20.04 5.15.0.107.117~20.04.1 linux-image-oem-20.04 5.15.0.107.117~20.04.1 linux-image-oem-20.04b 5.15.0.107.117~20.04.1 linux-image-oem-20.04c 5.15.0.107.117~20.04.1 linux-image-oem-20.04d 5.15.0.107.117~20.04.1 linux-image-virtual-hwe-20.04 5.15.0.107.117~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6775-1 CVE-2023-47233, CVE-2023-52530, CVE-2024-26622 Package Information: https://launchpad.net/ubuntu/+source/linux/5.15.0-107.117 https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1064.73 https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1064.73.1 https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1060.68 https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1045.52 https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1055.58 https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1057.63 https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1059.64 https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-107.117 https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1055.56 https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1060.66 https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1055.58 https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1064.73~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1064.73~20.04.1.1 https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1060.68~20.04.1 https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1045.52~20.04.1 https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-107.117~20.04.1 https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1055.58~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-107.117~20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 491 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 16 19:24:45 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 16 May 2024 21:24:45 +0200 Subject: [USN-6777-1] Linux kernel vulnerabilities Message-ID: <07c7de2c-9878-49a4-b1b5-3a7d78f5b551@canonical.com> ========================================================================== Ubuntu Security Notice USN-6777-1 May 16, 2024 linux, linux-aws, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems - linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-hwe: Linux hardware enablement (HWE) kernel Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Block layer subsystem; - Userspace I/O drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439, CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704, CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622, CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS linux-image-4.15.0-1131-oracle 4.15.0-1131.142 Available with Ubuntu Pro linux-image-4.15.0-1152-kvm 4.15.0-1152.157 Available with Ubuntu Pro linux-image-4.15.0-1162-gcp 4.15.0-1162.179 Available with Ubuntu Pro linux-image-4.15.0-1168-aws 4.15.0-1168.181 Available with Ubuntu Pro linux-image-4.15.0-1177-azure 4.15.0-1177.192 Available with Ubuntu Pro linux-image-4.15.0-225-generic 4.15.0-225.237 Available with Ubuntu Pro linux-image-4.15.0-225-lowlatency 4.15.0-225.237 Available with Ubuntu Pro linux-image-aws-lts-18.04 4.15.0.1168.166 Available with Ubuntu Pro linux-image-azure-lts-18.04 4.15.0.1177.145 Available with Ubuntu Pro linux-image-gcp-lts-18.04 4.15.0.1162.175 Available with Ubuntu Pro linux-image-generic 4.15.0.225.209 Available with Ubuntu Pro linux-image-kvm 4.15.0.1152.143 Available with Ubuntu Pro linux-image-lowlatency 4.15.0.225.209 Available with Ubuntu Pro linux-image-oracle-lts-18.04 4.15.0.1131.136 Available with Ubuntu Pro linux-image-virtual 4.15.0.225.209 Available with Ubuntu Pro Ubuntu 16.04 LTS linux-image-4.15.0-1131-oracle 4.15.0-1131.142~16.04.1 Available with Ubuntu Pro linux-image-4.15.0-225-generic 4.15.0-225.237~16.04.1 Available with Ubuntu Pro linux-image-4.15.0-225-lowlatency 4.15.0-225.237~16.04.1 Available with Ubuntu Pro linux-image-generic-hwe-16.04 4.15.0.225.237~16.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-16.04 4.15.0.225.237~16.04.1 Available with Ubuntu Pro linux-image-oem 4.15.0.225.237~16.04.1 Available with Ubuntu Pro linux-image-oracle 4.15.0.1131.142~16.04.1 Available with Ubuntu Pro linux-image-virtual-hwe-16.04 4.15.0.225.237~16.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6777-1 CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801, CVE-2024-26805 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 16 19:24:56 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 16 May 2024 21:24:56 +0200 Subject: [USN-6778-1] Linux kernel vulnerabilities Message-ID: <53f37bf8-63e4-4a2a-a8ef-d26fdb7dbe77@canonical.com> ========================================================================== Ubuntu Security Notice USN-6778-1 May 16, 2024 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-kvm: Linux kernel for cloud environments - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Ext4 file system; - JFS file system; - NILFS2 file system; - Core kernel; - Bluetooth subsystem; - Networking core; - IPv4 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52601, CVE-2024-26622, CVE-2024-26805, CVE-2024-26635, CVE-2023-52602, CVE-2024-26801, CVE-2023-52566, CVE-2024-26704, CVE-2021-46939, CVE-2024-26614, CVE-2023-52604, CVE-2023-52530, CVE-2023-52524) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS linux-image-4.4.0-1132-kvm 4.4.0-1132.142 Available with Ubuntu Pro linux-image-4.4.0-1169-aws 4.4.0-1169.184 Available with Ubuntu Pro linux-image-4.4.0-254-generic 4.4.0-254.288 Available with Ubuntu Pro linux-image-4.4.0-254-lowlatency 4.4.0-254.288 Available with Ubuntu Pro linux-image-aws 4.4.0.1169.173 Available with Ubuntu Pro linux-image-generic 4.4.0.254.260 Available with Ubuntu Pro linux-image-generic-lts-xenial 4.4.0.254.260 Available with Ubuntu Pro linux-image-kvm 4.4.0.1132.129 Available with Ubuntu Pro linux-image-lowlatency 4.4.0.254.260 Available with Ubuntu Pro linux-image-lowlatency-lts-xenial 4.4.0.254.260 Available with Ubuntu Pro linux-image-virtual 4.4.0.254.260 Available with Ubuntu Pro linux-image-virtual-lts-xenial 4.4.0.254.260 Available with Ubuntu Pro Ubuntu 14.04 LTS linux-image-4.4.0-1131-aws 4.4.0-1131.137 Available with Ubuntu Pro linux-image-4.4.0-254-generic 4.4.0-254.288~14.04.1 Available with Ubuntu Pro linux-image-4.4.0-254-lowlatency 4.4.0-254.288~14.04.1 Available with Ubuntu Pro linux-image-aws 4.4.0.1131.128 Available with Ubuntu Pro linux-image-generic-lts-xenial 4.4.0.254.288~14.04.1 Available with Ubuntu Pro linux-image-lowlatency-lts-xenial 4.4.0.254.288~14.04.1 Available with Ubuntu Pro linux-image-virtual-lts-xenial 4.4.0.254.288~14.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6778-1 CVE-2021-46939, CVE-2023-47233, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26801, CVE-2024-26805 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 16 19:24:37 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 16 May 2024 21:24:37 +0200 Subject: [USN-6776-1] Linux kernel vulnerabilities Message-ID: <49d8ff44-988f-4a8e-8d81-8edeb9e6b040@canonical.com> ========================================================================== Ubuntu Security Notice USN-6776-1 May 16, 2024 linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-iot: Linux kernel for IoT platforms - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors - linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems - linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe-5.4: Linux hardware enablement (HWE) kernel - linux-ibm-5.4: Linux kernel for IBM cloud systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Networking core; - IPv4 networking; - MAC80211 subsystem; - Tomoyo security module; (CVE-2024-26614, CVE-2023-52530, CVE-2024-26622) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1037-iot 5.4.0-1037.38 linux-image-5.4.0-1044-xilinx-zynqmp 5.4.0-1044.48 linux-image-5.4.0-1072-ibm 5.4.0-1072.77 linux-image-5.4.0-1085-bluefield 5.4.0-1085.92 linux-image-5.4.0-1092-gkeop 5.4.0-1092.96 linux-image-5.4.0-1109-raspi 5.4.0-1109.121 linux-image-5.4.0-1113-kvm 5.4.0-1113.120 linux-image-5.4.0-1124-oracle 5.4.0-1124.133 linux-image-5.4.0-1125-aws 5.4.0-1125.135 linux-image-5.4.0-1129-gcp 5.4.0-1129.138 linux-image-5.4.0-1130-azure 5.4.0-1130.137 linux-image-5.4.0-182-generic 5.4.0-182.202 linux-image-5.4.0-182-generic-lpae 5.4.0-182.202 linux-image-5.4.0-182-lowlatency 5.4.0-182.202 linux-image-aws-lts-20.04 5.4.0.1125.122 linux-image-azure-lts-20.04 5.4.0.1130.124 linux-image-bluefield 5.4.0.1085.81 linux-image-gcp-lts-20.04 5.4.0.1129.131 linux-image-generic 5.4.0.182.180 linux-image-generic-lpae 5.4.0.182.180 linux-image-gkeop 5.4.0.1092.90 linux-image-gkeop-5.4 5.4.0.1092.90 linux-image-ibm-lts-20.04 5.4.0.1072.101 linux-image-kvm 5.4.0.1113.109 linux-image-lowlatency 5.4.0.182.180 linux-image-oem 5.4.0.182.180 linux-image-oem-osp1 5.4.0.182.180 linux-image-oracle-lts-20.04 5.4.0.1124.117 linux-image-raspi 5.4.0.1109.139 linux-image-raspi2 5.4.0.1109.139 linux-image-virtual 5.4.0.182.180 linux-image-xilinx-zynqmp 5.4.0.1044.44 Ubuntu 18.04 LTS linux-image-5.4.0-1072-ibm 5.4.0-1072.77~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1109-raspi 5.4.0-1109.121~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1124-oracle 5.4.0-1124.133~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1125-aws 5.4.0-1125.135~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1129-gcp 5.4.0-1129.138~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-1130-azure 5.4.0-1130.137~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-182-generic 5.4.0-182.202~18.04.1 Available with Ubuntu Pro linux-image-5.4.0-182-lowlatency 5.4.0-182.202~18.04.1 Available with Ubuntu Pro linux-image-aws 5.4.0.1125.135~18.04.1 Available with Ubuntu Pro linux-image-azure 5.4.0.1130.137~18.04.1 Available with Ubuntu Pro linux-image-gcp 5.4.0.1129.138~18.04.1 Available with Ubuntu Pro linux-image-generic-hwe-18.04 5.4.0.182.202~18.04.1 Available with Ubuntu Pro linux-image-ibm 5.4.0.1072.77~18.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-18.04 5.4.0.182.202~18.04.1 Available with Ubuntu Pro linux-image-oem 5.4.0.182.202~18.04.1 Available with Ubuntu Pro linux-image-oem-osp1 5.4.0.182.202~18.04.1 Available with Ubuntu Pro linux-image-oracle 5.4.0.1124.133~18.04.1 Available with Ubuntu Pro linux-image-raspi-hwe-18.04 5.4.0.1109.121~18.04.1 Available with Ubuntu Pro linux-image-snapdragon-hwe-18.04 5.4.0.182.202~18.04.1 Available with Ubuntu Pro linux-image-virtual-hwe-18.04 5.4.0.182.202~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6776-1 CVE-2023-47233, CVE-2023-52530, CVE-2024-26614, CVE-2024-26622 Package Information: https://launchpad.net/ubuntu/+source/linux/5.4.0-182.202 https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1125.135 https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1130.137 https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1085.92 https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1129.138 https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1092.96 https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1072.77 https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1037.38 https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1113.120 https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1124.133 https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1109.121 https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1044.48 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Mon May 20 13:44:22 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Mon, 20 May 2024 10:44:22 -0300 Subject: [USN-6766-3] Linux kernel (AWS) vulnerabilities Message-ID: <4a2b769a-8159-49cf-8335-a4cb78c41f7e@canonical.com> ========================================================================== Ubuntu Security Notice USN-6766-3 May 20, 2024 linux-aws, linux-aws-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems Details: It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-1151) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - PowerPC architecture; - S390 architecture; - Core kernel; - Block layer subsystem; - Android drivers; - Power management core; - Bus devices; - Hardware random number generator core; - Cryptographic API; - Device frequency; - DMA engine subsystem; - ARM SCMI message protocol; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - I2C subsystem; - IIO ADC drivers; - IIO subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Media drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - SCSI drivers; - DesignWare USB3 driver; - BTRFS file system; - Ceph distributed file system; - Ext4 file system; - F2FS file system; - JFS file system; - NILFS2 file system; - NTFS3 file system; - Pstore file system; - SMB network file system; - Memory management; - CAN network layer; - Networking core; - HSR network protocol; - IPv4 networking; - IPv6 networking; - Logical Link layer; - Multipath TCP; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Unix domain sockets; - Realtek audio codecs; (CVE-2023-52594, CVE-2023-52601, CVE-2024-26826, CVE-2023-52622, CVE-2024-26665, CVE-2023-52493, CVE-2023-52633, CVE-2024-26684, CVE-2024-26663, CVE-2023-52618, CVE-2023-52588, CVE-2023-52637, CVE-2024-26825, CVE-2023-52606, CVE-2024-26594, CVE-2024-26625, CVE-2024-26720, CVE-2024-26614, CVE-2023-52627, CVE-2023-52602, CVE-2024-26673, CVE-2024-26685, CVE-2023-52638, CVE-2023-52498, CVE-2023-52619, CVE-2024-26910, CVE-2024-26689, CVE-2023-52583, CVE-2024-26676, CVE-2024-26671, CVE-2024-26704, CVE-2024-26608, CVE-2024-26610, CVE-2024-26592, CVE-2023-52599, CVE-2023-52595, CVE-2024-26660, CVE-2023-52617, CVE-2024-26645, CVE-2023-52486, CVE-2023-52631, CVE-2023-52607, CVE-2023-52608, CVE-2024-26722, CVE-2024-26615, CVE-2023-52615, CVE-2024-26636, CVE-2023-52642, CVE-2023-52587, CVE-2024-26712, CVE-2024-26675, CVE-2023-52614, CVE-2024-26606, CVE-2024-26916, CVE-2024-26600, CVE-2024-26679, CVE-2024-26829, CVE-2024-26641, CVE-2023-52623, CVE-2024-26627, CVE-2024-26696, CVE-2024-26640, CVE-2024-26635, CVE-2023-52491, CVE-2024-26664, CVE-2024-26602, CVE-2023-52604, CVE-2024-26717, CVE-2023-52643, CVE-2024-26593, CVE-2023-52598, CVE-2024-26668, CVE-2023-52435, CVE-2023-52597, CVE-2024-26715, CVE-2024-26707, CVE-2023-52635, CVE-2024-26695, CVE-2024-26698, CVE-2023-52494, CVE-2024-26920, CVE-2024-26808, CVE-2023-52616, CVE-2023-52492, CVE-2024-26702, CVE-2024-26644, CVE-2023-52489, CVE-2024-26697) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1061-aws 5.15.0-1061.67 linux-image-aws-lts-22.04 5.15.0.1061.61 Ubuntu 20.04 LTS linux-image-5.15.0-1061-aws 5.15.0-1061.67~20.04.1 linux-image-aws 5.15.0.1061.67~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6766-3 https://ubuntu.com/security/notices/USN-6766-1 CVE-2023-52435, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52498, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638, CVE-2023-52642, CVE-2023-52643, CVE-2024-1151, CVE-2024-2201, CVE-2024-23849, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26625, CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26689, CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26808, CVE-2024-26825, CVE-2024-26826, CVE-2024-26829, CVE-2024-26910, CVE-2024-26916, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1061.67 https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1061.67~20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Mon May 20 13:44:38 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Mon, 20 May 2024 10:44:38 -0300 Subject: [USN-6777-2] Linux kernel (Azure) vulnerabilities Message-ID: <7706ffe9-f89a-4599-a194-8c40877f8065@canonical.com> ========================================================================== Ubuntu Security Notice USN-6777-2 May 20, 2024 linux-azure vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Block layer subsystem; - Userspace I/O drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439, CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704, CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622, CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS linux-image-4.15.0-1177-azure 4.15.0-1177.192~16.04.1 Available with Ubuntu Pro linux-image-azure 4.15.0.1177.192~16.04.1 Available with Ubuntu Pro Ubuntu 14.04 LTS linux-image-4.15.0-1177-azure 4.15.0-1177.192~14.04.1 Available with Ubuntu Pro linux-image-azure 4.15.0.1177.192~14.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6777-2 https://ubuntu.com/security/notices/USN-6777-1 CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801, CVE-2024-26805 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From nishit.majithia at canonical.com Tue May 21 07:10:37 2024 From: nishit.majithia at canonical.com (Nishit Majithia) Date: Tue, 21 May 2024 12:40:37 +0530 Subject: [USN-6779-1] Firefox vulnerabilities Message-ID: <20240521071037.xxxg6agesni27f4z@machine> ========================================================================== Ubuntu Security Notice USN-6779-1 May 21, 2024 firefox vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 126.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6779-1 CVE-2024-4367, CVE-2024-4764, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778 Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0+build2-0ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: From federico.quattrin at canonical.com Tue May 21 14:24:20 2024 From: federico.quattrin at canonical.com (Federico Quattrin) Date: Tue, 21 May 2024 11:24:20 -0300 Subject: [USN-6781-1] Spreadsheet::ParseExcel vulnerability Message-ID: <77a89b9a-be4b-4def-9f2d-553053199c8c@canonical.com> ========================================================================== Ubuntu Security Notice USN-6781-1 May 21, 2024 libspreadsheet-parseexcel-perl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Spreadsheet::ParseExcel could possibly run commands if it processed a specially crafted file. Software Description: - libspreadsheet-parseexcel-perl: Perl module to access information from Excel Spreadsheets Details: Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated input from a file into a string-type "eval". An attacker could craft a malicious file to achieve arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libspreadsheet-parseexcel-perl 0.6500-1.1ubuntu0.1 Ubuntu 20.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.20.04.1 Ubuntu 18.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.18.04.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.16.04.1~esm1 Available with Ubuntu Pro Ubuntu 14.04 LTS libspreadsheet-parseexcel-perl 0.5800-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6781-1 CVE-2023-7101 Package Information: https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1.1ubuntu0.1 https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x703AAD91046CD76E.asc Type: application/pgp-keys Size: 1769 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From jorge.sancho.larraz at canonical.com Tue May 21 15:42:18 2024 From: jorge.sancho.larraz at canonical.com (Jorge Sancho Larraz) Date: Tue, 21 May 2024 17:42:18 +0200 Subject: [USN-6780-1] idna vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6780-1 May 21, 2024 python-idna vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: idna could be made to consume significant resources if it receives a specially crafted input. Software Description: - python-idna: Python IDNA2008 (RFC 5891) handling Details: Guido Vranken discovered that idna did not properly manage certain inputs, which could lead to significant resource consumption. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   python3-idna                    3.6-2ubuntu0.1 Ubuntu 23.10   python3-idna                    3.3-2ubuntu0.1 Ubuntu 22.04 LTS   python3-idna                    3.3-1ubuntu0.1 Ubuntu 20.04 LTS   python-idna                     2.8-1ubuntu0.1   python3-idna                    2.8-1ubuntu0.1 Ubuntu 18.04 LTS   pypy-idna                       2.6-1ubuntu0.1~esm1                                   Available with Ubuntu Pro   python-idna                     2.6-1ubuntu0.1~esm1                                   Available with Ubuntu Pro   python3-idna                    2.6-1ubuntu0.1~esm1                                   Available with Ubuntu Pro Ubuntu 16.04 LTS   pypy-idna                       2.0-3ubuntu0.1~esm1                                   Available with Ubuntu Pro   python-idna                     2.0-3ubuntu0.1~esm1                                   Available with Ubuntu Pro   python3-idna                    2.0-3ubuntu0.1~esm1                                   Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6780-1   CVE-2024-3651 Package Information:   https://launchpad.net/ubuntu/+source/python-idna/3.6-2ubuntu0.1   https://launchpad.net/ubuntu/+source/python-idna/3.3-2ubuntu0.1   https://launchpad.net/ubuntu/+source/python-idna/3.3-1ubuntu0.1   https://launchpad.net/ubuntu/+source/python-idna/2.8-1ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 21 22:43:17 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 21 May 2024 19:43:17 -0300 Subject: [USN-6775-2] Linux kernel vulnerabilities Message-ID: <03064d7b-6319-440f-afbc-522c939ea107@canonical.com> ========================================================================== Ubuntu Security Notice USN-6775-2 May 21, 2024 linux-aws, linux-aws-5.15, linux-gke vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gke: Linux kernel for Google Container Engine (GKE) systems - linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MAC80211 subsystem; - Tomoyo security module; (CVE-2024-26622, CVE-2023-52530) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1059-gke 5.15.0-1059.64 linux-image-5.15.0-1062-aws 5.15.0-1062.68 linux-image-aws-lts-22.04 5.15.0.1062.62 linux-image-gke 5.15.0.1059.58 linux-image-gke-5.15 5.15.0.1059.58 Ubuntu 20.04 LTS linux-image-5.15.0-1062-aws 5.15.0-1062.68~20.04.1 linux-image-aws 5.15.0.1062.68~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6775-2 https://ubuntu.com/security/notices/USN-6775-1 CVE-2023-47233, CVE-2023-52530, CVE-2024-26622 Package Information: https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1062.68 https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1059.64 https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1062.68~20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 21 22:43:44 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 21 May 2024 19:43:44 -0300 Subject: [USN-6777-3] Linux kernel (GCP) vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6777-3 May 21, 2024 linux-gcp vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Block layer subsystem; - Userspace I/O drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439, CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704, CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622, CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS linux-image-4.15.0-1162-gcp 4.15.0-1162.179~16.04.1 Available with Ubuntu Pro linux-image-gcp 4.15.0.1162.179~16.04.1 Available with Ubuntu Pro linux-image-gke 4.15.0.1162.179~16.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6777-3 https://ubuntu.com/security/notices/USN-6777-1 CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801, CVE-2024-26805 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From nishit.majithia at canonical.com Wed May 22 07:04:51 2024 From: nishit.majithia at canonical.com (Nishit Majithia) Date: Wed, 22 May 2024 12:34:51 +0530 Subject: [USN-6782-1] Thunderbird vulnerabilities Message-ID: <20240522070451.xmdhtwdztj6t3or3@machine> ========================================================================== Ubuntu Security Notice USN-6782-1 May 22, 2024 thunderbird vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4777) Thomas Rinsma discovered that Thunderbird did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Thunderbird did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 thunderbird 1:115.11.0+build2-0ubuntu0.23.10.1 Ubuntu 22.04 LTS thunderbird 1:115.11.0+build2-0ubuntu0.22.04.1 Ubuntu 20.04 LTS thunderbird 1:115.11.0+build2-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6782-1 CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4777 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: From allen.huang at canonical.com Thu May 23 08:54:43 2024 From: allen.huang at canonical.com (Allen Huang) Date: Thu, 23 May 2024 09:54:43 +0100 Subject: [USN-6783-1] VLC vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6783-1 May 22, 2024 vlc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: VLC could be made to crash or run programs if it received specially crafted network traffic. Software Description: - vlc: multimedia player and streamer Details: It was discovered that VLC incorrectly handled certain media files. A remote attacker could possibly use this issue to cause VLC to crash, resulting in a denial of service, or potential arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 vlc 3.0.18-4ubuntu0.1 vlc-plugin-base 3.0.18-4ubuntu0.1 Ubuntu 22.04 LTS vlc 3.0.16-1ubuntu0.1~esm2 Available with Ubuntu Pro vlc-plugin-base 3.0.16-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 20.04 LTS vlc 3.0.9.2-1ubuntu0.1~esm2 Available with Ubuntu Pro vlc-plugin-base 3.0.9.2-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS vlc 3.0.8-0ubuntu18.04.1+esm2 Available with Ubuntu Pro vlc-plugin-base 3.0.8-0ubuntu18.04.1+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS vlc 2.2.2-5ubuntu0.16.04.5+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6783-1 CVE-2023-47359, CVE-2023-47360 Package Information: https://launchpad.net/ubuntu/+source/vlc/3.0.18-4ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From david.fernandezgonzalez at canonical.com Thu May 23 09:38:44 2024 From: david.fernandezgonzalez at canonical.com (David Fernandez Gonzalez) Date: Thu, 23 May 2024 11:38:44 +0200 Subject: [USN-6663-3] OpenSSL update Message-ID: ========================================================================== Ubuntu Security Notice USN-6663-3 May 23, 2024 openssl update ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Add implicit rejection in PKCS#1 v1.5 in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: USN-6663-1 provided a security update for OpenSSL. This update provides the corresponding update for Ubuntu 24.04 LTS. Original advisory details:  As a security improvement, OpenSSL will now  return deterministic random bytes instead of an error  when detecting wrong padding in PKCS#1 v1.5 RSA  to prevent its use in possible Bleichenbacher timing attacks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   libssl-doc                      3.0.13-0ubuntu3.1   libssl3t64                      3.0.13-0ubuntu3.1   openssl                         3.0.13-0ubuntu3.1 After a standard system update you need to reboot your computer to make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6663-3   https://ubuntu.com/security/notices/USN-6663-1   https://launchpad.net/bugs/2054090 Package Information:   https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x96F770C739BC5ACE.asc Type: application/pgp-keys Size: 3220 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Thu May 23 12:07:27 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Thu, 23 May 2024 09:07:27 -0300 Subject: [USN-6777-4] Linux kernel (HWE) vulnerabilities Message-ID: <14c29bd7-25c1-4b80-a970-acb31652f54e@canonical.com> ========================================================================== Ubuntu Security Notice USN-6777-4 May 23, 2024 linux-aws-hwe vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Block layer subsystem; - Userspace I/O drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439, CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704, CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622, CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS linux-image-4.15.0-1168-aws 4.15.0-1168.181~16.04.1 Available with Ubuntu Pro linux-image-aws-hwe 4.15.0.1168.181~16.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6777-4 https://ubuntu.com/security/notices/USN-6777-1 CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801, CVE-2024-26805 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From ian.constantin at canonical.com Thu May 23 13:35:58 2024 From: ian.constantin at canonical.com (Ian Constantin) Date: Thu, 23 May 2024 16:35:58 +0300 Subject: [USN-6736-2] klibc vulnerabilities Message-ID: <05694b69-4721-4cd8-8eed-d697e3d473f4@canonical.com> ========================================================================== Ubuntu Security Notice USN-6736-2 May 23, 2024 klibc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in klibc. Software Description: - klibc: small utilities built with klibc for early boot Details: USN-6736-1 fixed vulnerabilities in klibc. This update provides the corresponding updates for Ubuntu 24.04 LTS. Original advisory details:  It was discovered that zlib, vendored in klibc, incorrectly handled pointer  arithmetic. An attacker could use this issue to cause klibc to crash or to  possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)  Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled  memory when performing certain deflating operations. An attacker could use  this issue to cause klibc to crash or to possibly execute arbitrary code.  (CVE-2018-25032)  Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled  memory when performing certain inflate operations. An attacker could use  this issue to cause klibc to crash or to possibly execute arbitrary code.  (CVE-2022-37434) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS    klibc-utils                     2.0.13-4ubuntu0.1    libklibc                         2.0.13-4ubuntu0.1 In general, a standard system update will make all the necessary changes. References:    https://ubuntu.com/security/notices/USN-6736-2    https://ubuntu.com/security/notices/USN-6736-1    CVE-2016-9840, CVE-2016-9841, CVE-2018-25032, CVE-2022-37434 Package Information:    https://launchpad.net/ubuntu/+source/klibc/2.0.13-4ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From allen.huang at canonical.com Thu May 23 15:42:20 2024 From: allen.huang at canonical.com (Allen Huang) Date: Thu, 23 May 2024 16:42:20 +0100 Subject: [USN-6784-1] cJSON vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6784-1 May 23, 2024 cjson vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: cJSON could be made to crash if it received specially crafted input. Software Description: - cjson: Ultralightweight JSON parser in ANSI C (development files) Details: It was discovered that cJSON incorrectly handled certain input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50471, CVE-2023-50472) Luo Jin discovered that cJSON incorrectly handled certain input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service. (CVE-2024-31755) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libcjson1 1.7.17-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 23.10 libcjson1 1.7.16-1ubuntu0.2 Ubuntu 22.04 LTS libcjson1 1.7.15-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6784-1 CVE-2023-50471, CVE-2023-50472, CVE-2024-31755 Package Information: https://launchpad.net/ubuntu/+source/cjson/1.7.16-1ubuntu0.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Thu May 23 16:53:45 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 23 May 2024 12:53:45 -0400 Subject: [USN-6785-1] GNOME Remote Desktop vulnerability Message-ID: <0fe3ba91-fe07-45da-ac35-42de1d2b6fed@canonical.com> ========================================================================== Ubuntu Security Notice USN-6785-1 May 23, 2024 gnome-remote-desktop vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: GNOME Remote Desktop would allow unintended access to sensitive information or remote desktop connections. Software Description: - gnome-remote-desktop: Remote desktop daemon for GNOME Details: Matthias Gerstner discovered that GNOME Remote Desktop incorrectly performed certain user validation checks. A local attacker could possibly use this issue to obtain sensitive information, or take control of remote desktop connections. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS gnome-remote-desktop 46.2-1~ubuntu24.04.2 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6785-1 CVE-2024-5148 Package Information: https://launchpad.net/ubuntu/+source/gnome-remote-desktop/46.2-1~ubuntu24.04.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From jorge.sancho.larraz at canonical.com Mon May 27 16:16:54 2024 From: jorge.sancho.larraz at canonical.com (Jorge Sancho Larraz) Date: Mon, 27 May 2024 18:16:54 +0200 Subject: [USN-6673-3] python-cryptography vulnerability Message-ID: <73ee7461-5a9d-4439-918f-9e779627e1fa@canonical.com> ========================================================================== Ubuntu Security Notice USN-6673-3 May 27, 2024 python-cryptography vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: python-cryptography could be made to crash if it received specially crafted input. Software Description: - python-cryptography: Cryptography Python library Details: USN-6673-1 provided a security update for python-cryptography. This update provides the corresponding update for Ubuntu 24.04 LTS. Original advisory details:  It was discovered that python-cryptography incorrectly handled memory  operations when processing mismatched PKCS#12 keys. A remote attacker could  possibly use this issue to cause python-cryptography to crash, leading to a  denial of service. This issue only affected Ubuntu 23.10. (CVE-2024-26130) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   python3-cryptography            41.0.7-4ubuntu0.1 In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6673-3   https://ubuntu.com/security/notices/USN-6673-1   CVE-2024-26130 Package Information: https://launchpad.net/ubuntu/+source/python-cryptography/41.0.7-4ubuntu0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From bruce.cable at canonical.com Tue May 28 06:43:36 2024 From: bruce.cable at canonical.com (Bruce Cable) Date: Tue, 28 May 2024 16:43:36 +1000 Subject: [USN-6786-1] Netatalk vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6786-1 May 28, 2024 netatalk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Netatalk could allow arbitrary code execution if it receives a specially crafted input. Software Description: - netatalk: Apple Filing Protocol service Details: It was discovered that Netatalk did not properly protect an SMB and AFP default configuration. A remote attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS netatalk 3.1.12~ds-9ubuntu0.22.04.3+esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS netatalk 3.1.12~ds-4ubuntu0.20.04.3+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6786-1 CVE-2022-22995 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xB86AEDCE8B7BA4E7.asc Type: application/pgp-keys Size: 3094 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Tue May 28 13:55:48 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 28 May 2024 09:55:48 -0400 Subject: [USN-6790-1] amavisd-new vulnerability Message-ID: <12da2fc5-c824-4426-b2ff-14f64e90ee66@canonical.com> ========================================================================== Ubuntu Security Notice USN-6790-1 May 28, 2024 amavisd-new vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: amavisd-new could be made to bypass security measures. Software Description: - amavisd-new: Interface between MTA and virus scanner/content filters Details: It was discovered that amavisd-new incorrectly handled certain MIME email messages with multiple boundary parameters. A remote attacker could possibly use this issue to bypass checks for banned files or malware. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS amavisd-new 1:2.13.0-3ubuntu2 Ubuntu 23.10 amavisd-new 1:2.13.0-3ubuntu1.1 Ubuntu 22.04 LTS amavisd-new 1:2.12.2-1ubuntu1.1 Ubuntu 20.04 LTS amavisd-new 1:2.11.0-6.1ubuntu1.1 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6790-1 CVE-2024-28054 Package Information: https://launchpad.net/ubuntu/+source/amavisd-new/1:2.13.0-3ubuntu2 https://launchpad.net/ubuntu/+source/amavisd-new/1:2.13.0-3ubuntu1.1 https://launchpad.net/ubuntu/+source/amavisd-new/1:2.12.2-1ubuntu1.1 https://launchpad.net/ubuntu/+source/amavisd-new/1:2.11.0-6.1ubuntu1.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Tue May 28 13:55:24 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 28 May 2024 09:55:24 -0400 Subject: [USN-6789-1] LibreOffice vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6789-1 May 28, 2024 libreoffice vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: LibreOffice could be made to run programs when clicking a graphic. Software Description: - libreoffice: Office productivity suite Details: Amel Bouziane-Leblond discovered that LibreOffice incorrectly handled graphic on-click bindings. If a user were tricked into clicking a graphic in a specially crafted document, a remote attacker could possibly run arbitrary script. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libreoffice 4:24.2.3-0ubuntu0.24.04.2 Ubuntu 23.10 libreoffice 4:7.6.7-0ubuntu0.23.10.2 Ubuntu 22.04 LTS libreoffice 1:7.3.7-0ubuntu0.22.04.5 Ubuntu 20.04 LTS libreoffice 1:6.4.7-0ubuntu0.20.04.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6789-1 CVE-2024-3044 Package Information: https://launchpad.net/ubuntu/+source/libreoffice/4:24.2.3-0ubuntu0.24.04.2 https://launchpad.net/ubuntu/+source/libreoffice/4:7.6.7-0ubuntu0.23.10.2 https://launchpad.net/ubuntu/+source/libreoffice/1:7.3.7-0ubuntu0.22.04.5 https://launchpad.net/ubuntu/+source/libreoffice/1:6.4.7-0ubuntu0.20.04.10 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Tue May 28 13:54:53 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 28 May 2024 09:54:53 -0400 Subject: [USN-6788-1] WebKitGTK vulnerabilities Message-ID: <1af1ddfa-9eda-4771-8fdb-e3e27d98fff9@canonical.com> ========================================================================== Ubuntu Security Notice USN-6788-1 May 28, 2024 webkit2gtk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in WebKitGTK. Software Description: - webkit2gtk: Web content engine library for GTK+ Details: Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libjavascriptcoregtk-4.1-0 2.44.2-0ubuntu0.24.04.1 libjavascriptcoregtk-6.0-1 2.44.2-0ubuntu0.24.04.1 libwebkit2gtk-4.1-0 2.44.2-0ubuntu0.24.04.1 libwebkitgtk-6.0-4 2.44.2-0ubuntu0.24.04.1 Ubuntu 23.10 libjavascriptcoregtk-4.0-18 2.44.2-0ubuntu0.23.10.1 libjavascriptcoregtk-4.1-0 2.44.2-0ubuntu0.23.10.1 libjavascriptcoregtk-6.0-1 2.44.2-0ubuntu0.23.10.1 libwebkit2gtk-4.0-37 2.44.2-0ubuntu0.23.10.1 libwebkit2gtk-4.1-0 2.44.2-0ubuntu0.23.10.1 libwebkitgtk-6.0-4 2.44.2-0ubuntu0.23.10.1 Ubuntu 22.04 LTS libjavascriptcoregtk-4.0-18 2.44.2-0ubuntu0.22.04.1 libjavascriptcoregtk-4.1-0 2.44.2-0ubuntu0.22.04.1 libjavascriptcoregtk-6.0-1 2.44.2-0ubuntu0.22.04.1 libwebkit2gtk-4.0-37 2.44.2-0ubuntu0.22.04.1 libwebkit2gtk-4.1-0 2.44.2-0ubuntu0.22.04.1 libwebkitgtk-6.0-4 2.44.2-0ubuntu0.22.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK, such as Epiphany, to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6788-1 CVE-2024-27834 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.2-0ubuntu0.22.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Tue May 28 13:56:11 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 28 May 2024 09:56:11 -0400 Subject: [USN-6791-1] Unbound vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6791-1 May 28, 2024 unbound vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Unbound could be made to take part in a denial of service attack. Software Description: - unbound: validating, recursive, caching DNS resolver Details: It was discovered that Unbound could take part in a denial of service amplification attack known as DNSBomb. This update introduces certain resource limits to make the impact from Unbound significantly lower. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libunbound8 1.19.2-1ubuntu3.1 unbound 1.19.2-1ubuntu3.1 Ubuntu 23.10 libunbound8 1.17.1-2ubuntu0.2 unbound 1.17.1-2ubuntu0.2 Ubuntu 22.04 LTS libunbound8 1.13.1-1ubuntu5.5 unbound 1.13.1-1ubuntu5.5 Ubuntu 20.04 LTS libunbound8 1.9.4-2ubuntu1.6 unbound 1.9.4-2ubuntu1.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6791-1 CVE-2024-33655 Package Information: https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.1 https://launchpad.net/ubuntu/+source/unbound/1.17.1-2ubuntu0.2 https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.5 https://launchpad.net/ubuntu/+source/unbound/1.9.4-2ubuntu1.6 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From leo.barbosa at canonical.com Tue May 28 16:13:18 2024 From: leo.barbosa at canonical.com (Leonidas S. Barbosa) Date: Tue, 28 May 2024 13:13:18 -0300 Subject: [USN-6793-1] Git vulnerabilities Message-ID: <20240528161318.GA93277@d4rkl41n> ========================================================================== Ubuntu Security Notice USN-6793-1 May 28, 2024 git vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-32002) It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-32004) It was discovered that Git incorrectly handled local clones with hardlinked files/directories. An attacker could possibly use this issue to place a specialized repository on their target's local system. (CVE-2024-32020) It was discovered that Git incorrectly handled certain symlinks. An attacker could possibly use this issue to impact availability and integrity creating hardlinked arbitrary files into users repository's objects/directory. (CVE-2024-32021) It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-32465) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS git 1:2.43.0-1ubuntu7.1 Ubuntu 23.10 git 1:2.40.1-1ubuntu1.1 Ubuntu 22.04 LTS git 1:2.34.1-1ubuntu1.11 Ubuntu 20.04 LTS git 1:2.25.1-1ubuntu3.12 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6793-1 CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021, CVE-2024-32465 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.43.0-1ubuntu7.1 https://launchpad.net/ubuntu/+source/git/1:2.40.1-1ubuntu1.1 https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.11 https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.12 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From marc.deslauriers at canonical.com Tue May 28 17:00:39 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Tue, 28 May 2024 13:00:39 -0400 Subject: [USN-6794-1] FRR vulnerabilities Message-ID: ========================================================================== Ubuntu Security Notice USN-6794-1 May 28, 2024 frr vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in FRR. Software Description: - frr: FRRouting suite of internet protocols Details: It was discovered that FRR incorrectly handled certain malformed BGP and OSPF packets. A remote attacker could use this issue to cause FRR to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS frr 8.4.4-1.1ubuntu6.1 Ubuntu 23.10 frr 8.4.4-1.1ubuntu1.4 Ubuntu 22.04 LTS frr 8.1-1ubuntu1.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6794-1 CVE-2024-31948, CVE-2024-31950, CVE-2024-31951, CVE-2024-34088 Package Information: https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu6.1 https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu1.4 https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.10 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From chrisa.oikonomou at canonical.com Tue May 28 16:48:03 2024 From: chrisa.oikonomou at canonical.com (Chrisa Oikonomou) Date: Tue, 28 May 2024 19:48:03 +0300 Subject: [USN-6792-1] Flask-Security vulnerability Message-ID: <3ec23acc-cac3-425a-b205-20181edd28a8@canonical.com> ========================================================================== Ubuntu Security Notice USN-6792-1 May 28, 2024 flask-security vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Flask-Security could be made to bypass URL validation and redirect to arbitary URL. Software Description: - flask-security: Simple security for Flask apps (Python 3) Details: Naom Moshe discovered that Flask-Security incorrectly validated URLs. An attacker could use this issue to redirect users to arbitrary URLs. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS   python3-flask-security          4.0.0-1ubuntu0.1 Ubuntu 20.04 LTS   python3-flask-security          1.7.5-2ubuntu0.20.04.1 Ubuntu 18.04 LTS   python3-flask-security          1.7.5-2ubuntu0.18.04.1~esm1                                   Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6792-1   CVE-2021-23385 Package Information: https://launchpad.net/ubuntu/+source/flask-security/4.0.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/flask-security/1.7.5-2ubuntu0.20.04.1 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From rodrigo.zaiden at canonical.com Tue May 28 19:26:25 2024 From: rodrigo.zaiden at canonical.com (Rodrigo Figueiredo Zaiden) Date: Tue, 28 May 2024 16:26:25 -0300 Subject: [USN-6795-1] Linux kernel (Intel IoTG) vulnerabilities Message-ID: <154de531-4429-4a96-86ac-ce63aa0d3f89@canonical.com> ========================================================================== Ubuntu Security Notice USN-6795-1 May 28, 2024 linux-intel-iotg vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-intel-iotg: Linux kernel for Intel IoT platforms Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-1151) Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information. (CVE-2024-2201) Chenyuan Yang discovered that the RDS Protocol implementation in the Linux kernel contained an out-of-bounds read vulnerability. An attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-23849) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - PowerPC architecture; - S390 architecture; - Core kernel; - Block layer subsystem; - Android drivers; - Power management core; - Bus devices; - Hardware random number generator core; - Cryptographic API; - Device frequency; - DMA engine subsystem; - ARM SCMI message protocol; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - I2C subsystem; - IIO ADC drivers; - IIO subsystem; - IIO Magnetometer sensors drivers; - InfiniBand drivers; - Media drivers; - Network drivers; - PCI driver for MicroSemi Switchtec; - PHY drivers; - SCSI drivers; - DesignWare USB3 driver; - BTRFS file system; - Ceph distributed file system; - Ext4 file system; - F2FS file system; - JFS file system; - NILFS2 file system; - NTFS3 file system; - Pstore file system; - SMB network file system; - Memory management; - CAN network layer; - Networking core; - HSR network protocol; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Multipath TCP; - Netfilter; - NFC subsystem; - SMC sockets; - Sun RPC protocol; - TIPC protocol; - Unix domain sockets; - Tomoyo security module; - Realtek audio codecs; (CVE-2023-52616, CVE-2024-26679, CVE-2024-26608, CVE-2023-52594, CVE-2024-26622, CVE-2023-52643, CVE-2024-26594, CVE-2023-52598, CVE-2023-52627, CVE-2023-52491, CVE-2024-26592, CVE-2024-26717, CVE-2023-52638, CVE-2024-26704, CVE-2023-52637, CVE-2024-26645, CVE-2023-52602, CVE-2024-26722, CVE-2024-26671, CVE-2023-52599, CVE-2024-26720, CVE-2023-52631, CVE-2023-52486, CVE-2024-26640, CVE-2023-52606, CVE-2023-52633, CVE-2024-26593, CVE-2024-26664, CVE-2023-52618, CVE-2024-26625, CVE-2023-52604, CVE-2024-26695, CVE-2024-26644, CVE-2024-26826, CVE-2024-26600, CVE-2024-26808, CVE-2023-52619, CVE-2023-52597, CVE-2024-26602, CVE-2024-26635, CVE-2023-52623, CVE-2024-26665, CVE-2024-26916, CVE-2024-26689, CVE-2023-52635, CVE-2024-26712, CVE-2023-52614, CVE-2024-26606, CVE-2024-26610, CVE-2024-26675, CVE-2023-52617, CVE-2024-26697, CVE-2023-52595, CVE-2023-52494, CVE-2024-26641, CVE-2024-26698, CVE-2024-26707, CVE-2024-26673, CVE-2023-52493, CVE-2024-26676, CVE-2024-26910, CVE-2023-52601, CVE-2024-26660, CVE-2023-52608, CVE-2024-26615, CVE-2023-52587, CVE-2024-26825, CVE-2023-52498, CVE-2023-52492, CVE-2024-26668, CVE-2024-26715, CVE-2024-26685, CVE-2024-26702, CVE-2024-26663, CVE-2024-26636, CVE-2024-26627, CVE-2024-26696, CVE-2023-52583, CVE-2023-52642, CVE-2023-52489, CVE-2024-26614, CVE-2024-26829, CVE-2024-26684, CVE-2023-52615, CVE-2023-52435, CVE-2023-52530, CVE-2023-52607, CVE-2024-26920, CVE-2023-52622, CVE-2023-52588) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1057-intel-iotg 5.15.0-1057.63 linux-image-intel-iotg 5.15.0.1057.57 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6795-1 CVE-2023-47233, CVE-2023-52435, CVE-2023-52486, CVE-2023-52489, CVE-2023-52491, CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52498, CVE-2023-52530, CVE-2023-52583, CVE-2023-52587, CVE-2023-52588, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597, CVE-2023-52598, CVE-2023-52599, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2023-52606, CVE-2023-52607, CVE-2023-52608, CVE-2023-52614, CVE-2023-52615, CVE-2023-52616, CVE-2023-52617, CVE-2023-52618, CVE-2023-52619, CVE-2023-52622, CVE-2023-52623, CVE-2023-52627, CVE-2023-52631, CVE-2023-52633, CVE-2023-52635, CVE-2023-52637, CVE-2023-52638, CVE-2023-52642, CVE-2023-52643, CVE-2024-1151, CVE-2024-2201, CVE-2024-23849, CVE-2024-26592, CVE-2024-26593, CVE-2024-26594, CVE-2024-26600, CVE-2024-26602, CVE-2024-26606, CVE-2024-26608, CVE-2024-26610, CVE-2024-26614, CVE-2024-26615, CVE-2024-26622, CVE-2024-26625, CVE-2024-26627, CVE-2024-26635, CVE-2024-26636, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644, CVE-2024-26645, CVE-2024-26660, CVE-2024-26663, CVE-2024-26664, CVE-2024-26665, CVE-2024-26668, CVE-2024-26671, CVE-2024-26673, CVE-2024-26675, CVE-2024-26676, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26689, CVE-2024-26695, CVE-2024-26696, CVE-2024-26697, CVE-2024-26698, CVE-2024-26702, CVE-2024-26704, CVE-2024-26707, CVE-2024-26712, CVE-2024-26715, CVE-2024-26717, CVE-2024-26720, CVE-2024-26722, CVE-2024-26808, CVE-2024-26825, CVE-2024-26826, CVE-2024-26829, CVE-2024-26910, CVE-2024-26916, CVE-2024-26920 Package Information: https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1057.63 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From nishit.majithia at canonical.com Wed May 29 05:58:55 2024 From: nishit.majithia at canonical.com (Nishit Majithia) Date: Wed, 29 May 2024 11:28:55 +0530 Subject: [USN-6779-2] Firefox regressions Message-ID: <20240529055855.ffklb3klpscjcpp5@machine> ========================================================================== Ubuntu Security Notice USN-6779-2 May 29, 2024 firefox regressions ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6779-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6779-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 126.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6779-2 https://ubuntu.com/security/notices/USN-6779-1 https://launchpad.net/bugs/2067445 Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0.1+build1-0ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: not available URL: From nick.galanis at canonical.com Wed May 29 09:22:01 2024 From: nick.galanis at canonical.com (Nick Galanis) Date: Wed, 29 May 2024 10:22:01 +0100 Subject: [USN-6787-1] Jinja2 vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6787-1 May 28, 2024 jinja2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Jinja2 could allow cross-site scripting (XSS) attacks. Software Description: - jinja2: small but fast and easy to use stand-alone template engine Details: It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting (XSS) attack. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-jinja2 3.1.2-1ubuntu1.1 Ubuntu 23.10 python3-jinja2 3.1.2-1ubuntu0.23.10.2 Ubuntu 22.04 LTS python3-jinja2 3.0.3-1ubuntu0.2 Ubuntu 20.04 LTS python-jinja2 2.10.1-2ubuntu0.3 python3-jinja2 2.10.1-2ubuntu0.3 Ubuntu 18.04 LTS python-jinja2 2.10-1ubuntu0.18.04.1+esm2 Available with Ubuntu Pro python3-jinja2 2.10-1ubuntu0.18.04.1+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS python-jinja2 2.8-1ubuntu0.1+esm3 Available with Ubuntu Pro python3-jinja2 2.8-1ubuntu0.1+esm3 Available with Ubuntu Pro Ubuntu 14.04 LTS python-jinja2 2.7.2-2ubuntu0.1~esm3 Available with Ubuntu Pro python3-jinja2 2.7.2-2ubuntu0.1~esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6787-1 CVE-2024-34064 Package Information: https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.1 https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.2 https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.2 https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From alex.murray at canonical.com Wed May 29 12:36:11 2024 From: alex.murray at canonical.com (Alex Murray) Date: Wed, 29 May 2024 22:06:11 +0930 Subject: [USN-6797-1] Intel Microcode vulnerabilities Message-ID: <87sey0yev8.fsf@canonical.com> ========================================================================== Ubuntu Security Notice USN-6797-1 May 29, 2024 intel-microcode vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Intel Microcode. Software Description: - intel-microcode: Processor microcode for Intel CPUs Details: It was discovered that some 3rd and 4th Generation Intel® Xeon® Processors did not properly restrict access to certain hardware features when using Intel® SGX or Intel® TDX. This may allow a privileged local user to potentially further escalate their privileges on the system. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-22655) It was discovered that some Intel® Atom® Processors did not properly clear register state when performing various operations. A local attacker could use this to obtain sensitive information via a transient execution attack. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-28746) It was discovered that some Intel® Processors did not properly clear the state of various hardware structures when switching execution contexts. A local attacker could use this to access privileged information. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-38575) It was discovered that some Intel® Processors did not properly enforce bus lock regulator protections. A remote attacker could use this to cause a denial of service. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-39368) It was discovered that some Intel® Xeon® D Processors did not properly calculate the SGX base key when using Intel® SGX. A privileged local attacker could use this to obtain sensitive information. This issue only affected Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2023-43490) It was discovered that some Intel® Processors did not properly protect against concurrent accesses. A local attacker could use this to obtain sensitive information. (CVE-2023-45733) It was discovered that some Intel® Processors TDX module software did not properly validate input. A privileged local attacker could use this information to potentially further escalate their privileges on the system. (CVE-2023-45745, CVE-2023-47855) It was discovered that some Intel® Core™ Ultra processors did not properly handle particular instruction sequences. A local attacker could use this issue to cause a denial of service. (CVE-2023-46103) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS intel-microcode 3.20240514.0ubuntu0.24.04.1 Ubuntu 23.10 intel-microcode 3.20240514.0ubuntu0.23.10.1 Ubuntu 22.04 LTS intel-microcode 3.20240514.0ubuntu0.22.04.1 Ubuntu 20.04 LTS intel-microcode 3.20240514.0ubuntu0.20.04.1 Ubuntu 18.04 LTS intel-microcode 3.20240514.0ubuntu0.18.04.1+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS intel-microcode 3.20240514.0ubuntu0.16.04.1+esm1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6797-1 CVE-2023-22655, CVE-2023-28746, CVE-2023-38575, CVE-2023-39368, CVE-2023-43490, CVE-2023-45733, CVE-2023-45745, CVE-2023-46103, CVE-2023-47855 Package Information: https://launchpad.net/ubuntu/+source/intel-microcode/3.20240514.0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/intel-microcode/3.20240514.0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/intel-microcode/3.20240514.0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/intel-microcode/3.20240514.0ubuntu0.20.04.1 -- Alex Murray Staff Engineer | Security Engineering Adelaide, Australia (GMT+0930) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 524 bytes Desc: not available URL: From federico.quattrin at canonical.com Wed May 29 16:14:40 2024 From: federico.quattrin at canonical.com (Federico Quattrin) Date: Wed, 29 May 2024 13:14:40 -0300 Subject: [USN-6796-1] TPM2 Software Stack vulnerabilities Message-ID: <2de443c2-da32-4560-9ed8-51c3bed482c2@canonical.com> ========================================================================== Ubuntu Security Notice USN-6796-1 May 29, 2024 tpm2-tss vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in TPM2 Software Stack. Software Description: - tpm2-tss: TPM2 Software Stack library Details: Fergus Dall discovered that TPM2 Software Stack did not properly handle layer arrays. An attacker could possibly use this issue to cause TPM2 Software Stack to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-22745) Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not validate the quote data after deserialization. An attacker could generate an arbitrary quote and cause TPM2 Software Stack to have unknown behavior. (CVE-2024-29040) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1 libtss2-fapi1t64 4.0.1-7.1ubuntu5.1 libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1 libtss2-policy0t64 4.0.1-7.1ubuntu5.1 libtss2-rc0t64 4.0.1-7.1ubuntu5.1 libtss2-sys1t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-cmd0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-libtpms0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1 libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1 Ubuntu 23.10 libtss2-esys-3.0.2-0 4.0.1-3ubuntu1.1 libtss2-fapi1 4.0.1-3ubuntu1.1 libtss2-mu0 4.0.1-3ubuntu1.1 libtss2-policy0 4.0.1-3ubuntu1.1 libtss2-rc0 4.0.1-3ubuntu1.1 libtss2-sys1 4.0.1-3ubuntu1.1 libtss2-tcti-cmd0 4.0.1-3ubuntu1.1 libtss2-tcti-device0 4.0.1-3ubuntu1.1 libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1 libtss2-tcti-mssim0 4.0.1-3ubuntu1.1 libtss2-tcti-pcap0 4.0.1-3ubuntu1.1 libtss2-tcti-spi-helper0 4.0.1-3ubuntu1.1 libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1 libtss2-tctildr0 4.0.1-3ubuntu1.1 Ubuntu 22.04 LTS libtss2-esys-3.0.2-0 3.2.0-1ubuntu1.1 libtss2-fapi1 3.2.0-1ubuntu1.1 libtss2-mu0 3.2.0-1ubuntu1.1 libtss2-rc0 3.2.0-1ubuntu1.1 libtss2-sys1 3.2.0-1ubuntu1.1 libtss2-tcti-cmd0 3.2.0-1ubuntu1.1 libtss2-tcti-device0 3.2.0-1ubuntu1.1 libtss2-tcti-mssim0 3.2.0-1ubuntu1.1 libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1 libtss2-tctildr0 3.2.0-1ubuntu1.1 Ubuntu 20.04 LTS libtss2-esys0 2.3.2-1ubuntu0.20.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6796-1 CVE-2023-22745, CVE-2024-29040 Package Information: https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1 https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1 https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1 https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x703AAD91046CD76E.asc Type: application/pgp-keys Size: 1769 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From leo.barbosa at canonical.com Wed May 29 17:25:06 2024 From: leo.barbosa at canonical.com (Leonidas S. Barbosa) Date: Wed, 29 May 2024 14:25:06 -0300 Subject: [USN-6798-1] GStreamer Base Plugins vulnerability Message-ID: <20240529172506.GA2279195@d4rkl41n> ========================================================================== Ubuntu Security Notice USN-6798-1 May 29, 2024 gst-plugins-base1.0 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: GStreamer Base Plugins could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - gst-plugins-base1.0: GStreamer plugins Details: It was discovered that GStreamer Base Plugins incorrectly handled certain EXIF metadata. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS gstreamer1.0-plugins-base 1.24.2-1ubuntu0.1 Ubuntu 23.10 gstreamer1.0-plugins-base 1.22.6-1ubuntu0.1 Ubuntu 22.04 LTS gstreamer1.0-plugins-base 1.20.1-1ubuntu0.2 Ubuntu 20.04 LTS gstreamer1.0-plugins-base 1.16.3-0ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6798-1 CVE-2024-4453 Package Information: https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.24.2-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.22.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.20.1-1ubuntu0.2 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.16.3-0ubuntu1.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From fabian.toepfer at canonical.com Wed May 29 15:45:56 2024 From: fabian.toepfer at canonical.com (Fabian Toepfer) Date: Wed, 29 May 2024 17:45:56 +0200 Subject: [USN-6799-1] Werkzeug vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6799-1 May 29, 2024 python-werkzeug vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Werkzeug could be made to execute code under certain circumstances. Software Description: - python-werkzeug: collection of utilities for WSGI applications Details: It was discovered that the debugger in Werkzeug was not restricted to trusted hosts. A remote attacker could possibly use this issue to execute code on the host under certain circumstances. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS   python3-werkzeug                3.0.1-3ubuntu0.1 Ubuntu 23.10   python3-werkzeug                2.2.2-3ubuntu0.1 Ubuntu 22.04 LTS   python3-werkzeug                2.0.2+dfsg1-1ubuntu0.22.04.2 Ubuntu 20.04 LTS   python3-werkzeug                0.16.1+dfsg1-2ubuntu0.2 Ubuntu 18.04 LTS   python-werkzeug                 0.14.1+dfsg1-1ubuntu0.2+esm1                                   Available with Ubuntu Pro   python3-werkzeug                0.14.1+dfsg1-1ubuntu0.2+esm1                                   Available with Ubuntu Pro Ubuntu 16.04 LTS   python-werkzeug                 0.10.4+dfsg1-1ubuntu1.2+esm2                                   Available with Ubuntu Pro   python3-werkzeug                0.10.4+dfsg1-1ubuntu1.2+esm2                                   Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References:   https://ubuntu.com/security/notices/USN-6799-1   CVE-2024-34069 Package Information: https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.1 https://launchpad.net/ubuntu/+source/python-werkzeug/2.2.2-3ubuntu0.1 https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/python-werkzeug/0.16.1+dfsg1-2ubuntu0.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From amir.naseredini at canonical.com Thu May 30 13:53:11 2024 From: amir.naseredini at canonical.com (Amir Naseredini) Date: Thu, 30 May 2024 14:53:11 +0100 Subject: [USN-6800-1] browserify-sign vulnerability Message-ID: <0dc87b06-6fa7-457a-ab30-b3ec8c39699b@canonical.com> ========================================================================== Ubuntu Security Notice USN-6800-1 May 30, 2024 node-browserify-sign vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: browserify-sign could allow unintended access if it opened a specially crafted file. Software Description: - node-browserify-sign: createSign and createVerify in your browser Details: It was discovered that browserify-sign incorrectly handled an upper bound check in signature verification. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a signature forgery attack. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 node-browserify-sign 4.2.1-3ubuntu0.1 Ubuntu 22.04 LTS node-browserify-sign 4.2.1-2ubuntu0.1 Ubuntu 20.04 LTS node-browserify-sign 4.0.4-2ubuntu0.20.04.1 Ubuntu 18.04 LTS node-browserify-sign 4.0.4-2ubuntu0.18.04.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6800-1 CVE-2023-46234 Package Information: https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-3ubuntu0.1 https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/node-browserify-sign/4.0.4-2ubuntu0.20.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Thu May 30 14:26:55 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 30 May 2024 10:26:55 -0400 Subject: [USN-6801-1] PyMySQL vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6801-1 May 30, 2024 python-pymysql vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: PyMySQL could be vulnerable to SQL injection attacks. Software Description: - python-pymysql: Pure-Python MySQL driver Details: It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An attacker could possibly use this issue to perform SQL injection attacks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-pymysql 1.0.2-2ubuntu1.1 Ubuntu 23.10 python3-pymysql 1.0.2-1ubuntu1.23.10.1 Ubuntu 22.04 LTS python3-pymysql 1.0.2-1ubuntu1.22.04.1 Ubuntu 20.04 LTS python3-pymysql 0.9.3-2ubuntu3.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6801-1 CVE-2024-36039 Package Information: https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-2ubuntu1.1 https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.23.10.1 https://launchpad.net/ubuntu/+source/python-pymysql/1.0.2-1ubuntu1.22.04.1 https://launchpad.net/ubuntu/+source/python-pymysql/0.9.3-2ubuntu3.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From marc.deslauriers at canonical.com Thu May 30 14:27:29 2024 From: marc.deslauriers at canonical.com (Marc Deslauriers) Date: Thu, 30 May 2024 10:27:29 -0400 Subject: [USN-6802-1] PostgreSQL vulnerability Message-ID: ========================================================================== Ubuntu Security Notice USN-6802-1 May 30, 2024 postgresql-14, postgresql-15, postgresql-16 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: PostgreSQL could be made to expose sensitive information. Software Description: - postgresql-16: Object-relational SQL database - postgresql-15: Object-relational SQL database - postgresql-14: Object-relational SQL database Details: Lukas Fittl discovered that PostgreSQL incorrectly performed authorization in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged database user can use this issue to read most common values and other statistics from CREATE STATISTICS commands of other users. NOTE: This update will only fix fresh PostgreSQL installations. Current PostgreSQL installations will remain vulnerable to this issue until manual steps are performed. Please see the instructions in the changelog located at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated packages have been installed, or in the PostgreSQL release notes located here: https://www.postgresql.org/docs/16/release-16-3.html https://www.postgresql.org/docs/15/release-15-7.html https://www.postgresql.org/docs/14/release-14-12.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS postgresql-16 16.3-0ubuntu0.24.04.1 postgresql-client-16 16.3-0ubuntu0.24.04.1 Ubuntu 23.10 postgresql-15 15.7-0ubuntu0.23.10.1 postgresql-client-15 15.7-0ubuntu0.23.10.1 Ubuntu 22.04 LTS postgresql-14 14.12-0ubuntu0.22.04.1 postgresql-client-14 14.12-0ubuntu0.22.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes, and possibly perform manual steps as described above. References: https://ubuntu.com/security/notices/USN-6802-1 CVE-2024-4317 Package Information: https://launchpad.net/ubuntu/+source/postgresql-16/16.3-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/postgresql-15/15.7-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/postgresql-14/14.12-0ubuntu0.22.04.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From allen.huang at canonical.com Thu May 30 18:34:36 2024 From: allen.huang at canonical.com (Allen Huang) Date: Thu, 30 May 2024 19:34:36 +0100 Subject: [USN-6803-1] FFmpeg vulnerabilities Message-ID: <5cbb6ada-f8e9-4eeb-b343-1b3e9710debb@canonical.com> ========================================================================== Ubuntu Security Notice USN-6803-1 May 30, 2024 ffmpeg vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: FFmpeg could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - ffmpeg: Tools for transcoding, streaming and playing of multimedia files Details: Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 24.04 LTS. (CVE-2023-49501) Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2023-49502) Zhang Ling and Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2023-49528) Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2023-50007) Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2023-50008) Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10. (CVE-2023-50009) Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50010) Zeng Yunxiang and Li Zeyuan discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2023-51793) Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-51794, CVE-2023-51798) Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10. (CVE-2023-51795, CVE-2023-51796) It was discovered that discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31578) It was discovered that discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31582) It was discovered that discovered that FFmpeg incorrectly handled certain input files. An attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service, or potential arbitrary code execution. This issue only affected Ubuntu 23.10. (CVE-2024-31585) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS ffmpeg 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavcodec-extra60 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavcodec60 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavdevice60 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavfilter-extra9 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavfilter9 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavformat-extra60 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavformat60 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libavutil58 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libpostproc57 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libswresample4 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro libswscale7 7:6.1.1-3ubuntu5+esm1 Available with Ubuntu Pro Ubuntu 23.10 ffmpeg 7:6.0-6ubuntu1.1 libavcodec-extra60 7:6.0-6ubuntu1.1 libavcodec60 7:6.0-6ubuntu1.1 libavdevice60 7:6.0-6ubuntu1.1 libavfilter-extra9 7:6.0-6ubuntu1.1 libavfilter9 7:6.0-6ubuntu1.1 libavformat-extra60 7:6.0-6ubuntu1.1 libavformat60 7:6.0-6ubuntu1.1 libavutil58 7:6.0-6ubuntu1.1 libpostproc57 7:6.0-6ubuntu1.1 libswresample4 7:6.0-6ubuntu1.1 libswscale7 7:6.0-6ubuntu1.1 Ubuntu 22.04 LTS ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavcodec58 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavfilter7 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm4 Available with Ubuntu Pro Ubuntu 20.04 LTS ffmpeg 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavcodec58 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavdevice58 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavfilter7 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavformat58 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavresample4 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libavutil56 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libpostproc55 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libswresample3 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro libswscale5 7:4.2.7-0ubuntu0.1+esm5 Available with Ubuntu Pro Ubuntu 18.04 LTS ffmpeg 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavcodec57 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavdevice57 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavfilter6 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavformat57 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavresample3 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libavutil55 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libpostproc54 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libswresample2 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro libswscale4 7:3.4.11-0ubuntu0.1+esm5 Available with Ubuntu Pro Ubuntu 16.04 LTS ffmpeg 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavcodec-ffmpeg-extra56 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavcodec-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavdevice-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavfilter-ffmpeg5 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavformat-ffmpeg56 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavresample-ffmpeg2 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libavutil-ffmpeg54 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libpostproc-ffmpeg53 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libswresample-ffmpeg1 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro libswscale-ffmpeg3 7:2.8.17-0ubuntu0.1+esm7 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6803-1 CVE-2023-49501, CVE-2023-49502, CVE-2023-49528, CVE-2023-50007, CVE-2023-50008, CVE-2023-50009, CVE-2023-50010, CVE-2023-51793, CVE-2023-51794, CVE-2023-51795, CVE-2023-51796, CVE-2023-51798, CVE-2024-31578, CVE-2024-31582, CVE-2024-31585 Package Information: https://launchpad.net/ubuntu/+source/ffmpeg/7:6.0-6ubuntu1.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From pfsmorigo at canonical.com Fri May 31 14:17:07 2024 From: pfsmorigo at canonical.com (Paulo Flabiano Smorigo) Date: Fri, 31 May 2024 11:17:07 -0300 Subject: [USN-6804-1] GNU C Library vulnerabilities Message-ID: <20240531141707.orkpncihdwrlexqw@morty> ========================================================================== Ubuntu Security Notice USN-6804-1 May 31, 2024 glibc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in GNU C Library. Software Description: - glibc: GNU C Library Details: It was discovered that GNU C Library nscd daemon contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33599) It was discovered that GNU C Library nscd daemon did not properly check the cache content, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33600) It was discovered that GNU C Library nscd daemon did not properly validate memory allocation in certain situations, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33601) It was discovered that GNU C Library nscd daemon did not properly handle memory allocation, which could lead to memory corruption. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-33602) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS nscd 2.39-0ubuntu8.2 Ubuntu 23.10 nscd 2.38-1ubuntu6.3 Ubuntu 22.04 LTS nscd 2.35-0ubuntu3.8 Ubuntu 20.04 LTS nscd 2.31-0ubuntu9.16 Ubuntu 18.04 LTS nscd 2.27-3ubuntu1.6+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS nscd 2.23-0ubuntu11.3+esm7 Available with Ubuntu Pro After a standard system update you need to restart nscd to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6804-1 CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 Package Information: https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.2 https://launchpad.net/ubuntu/+source/glibc/2.38-1ubuntu6.3 https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.8 https://launchpad.net/ubuntu/+source/glibc/2.31-0ubuntu9.16 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: