[USN-6362-2] .Net regressions
== Ubuntu Security Notice USN-6362-2 October 25, 2023 .Net regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: An incomplete fix was discovered in .Net. Software Description: - dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: USN-6362-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~23.04.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-host 6.0.124-0ubuntu1~23.04.1 dotnet-host-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~23.04.1 dotnet6 6.0.124-0ubuntu1~23.04.1 dotnet7 7.0.113-0ubuntu1~23.04.1 Ubuntu 22.04 LTS: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~22.04.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-host 6.0.124-0ubuntu1~22.04.1 dotnet-host-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~22.04.1 dotnet6 6.0.124-0ubuntu1~22.04.1 dotnet7 7.0.113-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6362-2 https://ubuntu.com/security/notices/USN-6362-1 CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208 Package Information: https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.04.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.04.1 https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~22.04.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~22.04.1 signature.asc Description: PGP signature
[USN-6438-2] .Net regressions
== Ubuntu Security Notice USN-6438-2 October 25, 2023 .Net regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: An incomplete fix was discovered in .Net. Software Description: - dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-36799) It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-44487) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~23.10.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-host 6.0.124-0ubuntu1~23.10.1 dotnet-host-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~23.10.1 dotnet6 6.0.124-0ubuntu1~23.10.1 dotnet7 7.0.113-0ubuntu1~23.10.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6438-2 https://ubuntu.com/security/notices/USN-6438-1 CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208 Package Information: https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.10.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.10.1 signature.asc Description: PGP signature
[USN-6451-1] ncurses vulnerability
== Ubuntu Security Notice USN-6451-1 October 24, 2023 ncurses vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: ncurses could be made to crash if it opened a specially crafted file. Software Description: - ncurses: shared libraries for terminal handling Details: It was discovered that ncurses could be made to read out of bounds. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): lib32ncurses5 6.1-1ubuntu1.18.04.1+esm1 lib32ncursesw5 6.1-1ubuntu1.18.04.1+esm1 lib32tinfo5 6.1-1ubuntu1.18.04.1+esm1 lib64ncurses5 6.1-1ubuntu1.18.04.1+esm1 lib64tinfo5 6.1-1ubuntu1.18.04.1+esm1 libncurses5 6.1-1ubuntu1.18.04.1+esm1 libncursesw5 6.1-1ubuntu1.18.04.1+esm1 libtinfo5 6.1-1ubuntu1.18.04.1+esm1 libx32ncurses5 6.1-1ubuntu1.18.04.1+esm1 libx32ncursesw5 6.1-1ubuntu1.18.04.1+esm1 libx32tinfo5 6.1-1ubuntu1.18.04.1+esm1 ncurses-bin 6.1-1ubuntu1.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): lib32ncurses5 6.0+20160213-1ubuntu1+esm4 lib32ncursesw5 6.0+20160213-1ubuntu1+esm4 lib32tinfo5 6.0+20160213-1ubuntu1+esm4 lib64ncurses5 6.0+20160213-1ubuntu1+esm4 lib64tinfo5 6.0+20160213-1ubuntu1+esm4 libncurses5 6.0+20160213-1ubuntu1+esm4 libncursesw5 6.0+20160213-1ubuntu1+esm4 libtinfo5 6.0+20160213-1ubuntu1+esm4 libx32ncurses5 6.0+20160213-1ubuntu1+esm4 libx32ncursesw5 6.0+20160213-1ubuntu1+esm4 libx32tinfo5 6.0+20160213-1ubuntu1+esm4 ncurses-bin 6.0+20160213-1ubuntu1+esm4 Ubuntu 14.04 LTS (Available with Ubuntu Pro): lib32ncurses5 5.9+20140118-1ubuntu1+esm4 lib32ncursesw5 5.9+20140118-1ubuntu1+esm4 lib32tinfo5 5.9+20140118-1ubuntu1+esm4 lib64ncurses5 5.9+20140118-1ubuntu1+esm4 lib64tinfo5 5.9+20140118-1ubuntu1+esm4 libncurses5 5.9+20140118-1ubuntu1+esm4 libncursesw5 5.9+20140118-1ubuntu1+esm4 libtinfo5 5.9+20140118-1ubuntu1+esm4 libx32ncurses5 5.9+20140118-1ubuntu1+esm4 libx32ncursesw5 5.9+20140118-1ubuntu1+esm4 libx32tinfo5 5.9+20140118-1ubuntu1+esm4 ncurses-bin 5.9+20140118-1ubuntu1+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6451-1 CVE-2020-19189 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6288-2] MySQL vulnerability
== Ubuntu Security Notice USN-6288-2 October 24, 2023 mysql-5.7 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.7: MySQL database Details: USN-6288-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.7.43 in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-43.html https://www.oracle.com/security-alerts/cpujul2023.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): mysql-server-5.75.7.43-0ubuntu0.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): mysql-server-5.75.7.43-0ubuntu0.16.04.1+esm1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6288-2 https://ubuntu.com/security/notices/USN-6288-1 CVE-2023-22053 signature.asc Description: PGP signature
[USN-6450-1] OpenSSL vulnerabilities
== Ubuntu Security Notice USN-6450-1 October 24, 2023 openssl vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: Tony Battersby discovered that OpenSSL incorrectly handled key and initialization vector (IV) lengths. This could lead to truncation issues and result in loss of confidentiality for some symmetric cipher modes. (CVE-2023-5363) Juerg Wullschleger discovered that OpenSSL incorrectly handled the AES-SIV cipher. This could lead to empty data entries being ignored, resulting in certain applications being misled. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-2975) It was discovered that OpenSSL incorrectly handled checking excessively long DH keys or parameters. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-3446, CVE-2023-3817) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libssl3 3.0.10-1ubuntu2.1 Ubuntu 23.04: libssl3 3.0.8-1ubuntu1.4 Ubuntu 22.04 LTS: libssl3 3.0.2-0ubuntu1.12 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6450-1 CVE-2023-2975, CVE-2023-3446, CVE-2023-3817, CVE-2023-5363 Package Information: https://launchpad.net/ubuntu/+source/openssl/3.0.10-1ubuntu2.1 https://launchpad.net/ubuntu/+source/openssl/3.0.8-1ubuntu1.4 https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.12 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities
== Ubuntu Security Notice USN-6445-2 October 24, 2023 linux-intel-iotg-5.15 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Details: It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service (excessive CPU consumption). (CVE-2023-1206) Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD processors utilising speculative execution and branch prediction may allow unauthorised memory reads via a speculative side-channel attack. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2023-20569) It was discovered that the IPv6 RPL protocol implementation in the Linux kernel did not properly handle user-supplied data. A remote attacker could use this to cause a denial of service (system crash). (CVE-2023-2156) Davide Ornaghi discovered that the DECnet network protocol implementation in the Linux kernel contained a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Please note that kernel support for the DECnet has been removed to resolve this CVE. (CVE-2023-3338) Ross Lagerwall discovered that the Xen netback backend driver in the Linux kernel did not properly handle certain unusual packets from a paravirtualized network frontend, leading to a buffer overflow. An attacker in a guest VM could use this to cause a denial of service (host system crash) or possibly execute arbitrary code. (CVE-2023-34319) Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate command payload size, leading to a out-of-bounds read vulnerability. A remote attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-38432) It was discovered that the NFC implementation in the Linux kernel contained a use-after-free vulnerability when performing peer-to-peer communication in certain conditions. A privileged attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2023-3863) Laurence Wit discovered that the KSMBD implementation in the Linux kernel did not properly validate a buffer size in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-3865) Laurence Wit discovered that the KSMBD implementation in the Linux kernel contained a null pointer dereference vulnerability when handling handling chained requests. A remote attacker could use this to cause a denial of service (system crash). (CVE-2023-3866) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel did not properly handle device initialization failures in certain situations, leading to a use-after-free vulnerability. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2023-4132) Andy Nguyen discovered that the KVM implementation for AMD processors in the Linux kernel with Secure Encrypted Virtualization (SEV) contained a race condition when accessing the GHCB page. A local attacker in a SEV guest VM could possibly use this to cause a denial of service (host system crash). (CVE-2023-4155) It was discovered that the TUN/TAP driver in the Linux kernel did not properly initialize socket data. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-4194) Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4244) Maxim Suhanov discovered that the exFAT file system implementation in the Linux kernel did not properly check a file name length, leading to an out- of-bounds write vulnerability. An attacker could use this to construct a malicious exFAT image that, when mounted and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4273) Kyle Zeng discovered that the networking stack implementation in the Linux kernel did not properly validate skb object size in certain conditions. An attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-42752) Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did not properl
[USN-6446-2] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6446-2 October 24, 2023 linux-gcp-5.15, linux-gkeop-5.15 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems Details: Ross Lagerwall discovered that the Xen netback backend driver in the Linux kernel did not properly handle certain unusual packets from a paravirtualized network frontend, leading to a buffer overflow. An attacker in a guest VM could use this to cause a denial of service (host system crash) or possibly execute arbitrary code. (CVE-2023-34319) Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4244) Kyle Zeng discovered that the networking stack implementation in the Linux kernel did not properly validate skb object size in certain conditions. An attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-42752) Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did not properly calculate array offsets, leading to a out-of-bounds write vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-42753) Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP) classifier implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to cause a denial of service (system crash). Please note that kernel packet classifier support for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755) Kyle Zeng discovered that the netfilter subsystem in the Linux kernel contained a race condition in IP set operations in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-42756) Bing-Jhong Billy Jheng discovered that the Unix domain socket implementation in the Linux kernel contained a race condition in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4622) Budimir Markovic discovered that the qdisc implementation in the Linux kernel did not properly validate inner classes, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4623) Alex Birnberg discovered that the netfilter subsystem in the Linux kernel did not properly validate register length, leading to an out-of- bounds write vulnerability. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-4881) It was discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel did not properly handle network packets in certain conditions, leading to a use after free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4921) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly handle removal of rules from chain bindings in certain circumstances, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2023-5197) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: linux-image-5.15.0-1031-gkeop 5.15.0-1031.37~20.04.1 linux-image-5.15.0-1045-gcp 5.15.0-1045.53~20.04.2 linux-image-gcp 5.15.0.1045.53~20.04.1 linux-image-gkeop-5.15 5.15.0.1031.37~20.04.27 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6446-2 https://ubuntu.com/security/notices/USN-6446-1 CVE-2023-34319, CVE-2023-4244, CVE-2023-42752, CVE-2023-42753, CVE-2023-42755, CVE-2023-42756, CVE-2023-4622, CVE-2023-
[USN-6444-2] Linux kernel (StarFive) vulnerabilities
== Ubuntu Security Notice USN-6444-2 October 24, 2023 linux-starfive-6.2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-starfive-6.2: Linux kernel for StarFive processors Details: Ross Lagerwall discovered that the Xen netback backend driver in the Linux kernel did not properly handle certain unusual packets from a paravirtualized network frontend, leading to a buffer overflow. An attacker in a guest VM could use this to cause a denial of service (host system crash) or possibly execute arbitrary code. (CVE-2023-34319) Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4244) Kyle Zeng discovered that the networking stack implementation in the Linux kernel did not properly validate skb object size in certain conditions. An attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-42752) Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did not properly calculate array offsets, leading to a out-of-bounds write vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-42753) Kyle Zeng discovered that the IPv4 Resource Reservation Protocol (RSVP) classifier implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to cause a denial of service (system crash). Please note that kernel packet classifier support for RSVP has been removed to resolve this vulnerability. (CVE-2023-42755) Kyle Zeng discovered that the netfilter subsystem in the Linux kernel contained a race condition in IP set operations in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-42756) Bing-Jhong Billy Jheng discovered that the Unix domain socket implementation in the Linux kernel contained a race condition in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4622) Budimir Markovic discovered that the qdisc implementation in the Linux kernel did not properly validate inner classes, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4623) Alex Birnberg discovered that the netfilter subsystem in the Linux kernel did not properly validate register length, leading to an out-of- bounds write vulnerability. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-4881) It was discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel did not properly handle network packets in certain conditions, leading to a use after free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4921) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly handle removal of rules from chain bindings in certain circumstances, leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2023-5197) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: linux-image-6.2.0-1007-starfive 6.2.0-1007.8~22.04.1 linux-image-starfive6.2.0.1007.8~22.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6444-2 https://ubuntu.com/security/notices/USN-6444-1 CVE-2023-34319, CVE-2023-4244, CVE-2023-42752, CVE-2023-42753, CVE-2023-42755, CVE-2023-42756, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5197 Package Information: https://launchpad.net/ubuntu/+source/linux-starfive-6.2/6.2.0-1007.8~22.04.1 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6449-1] FFmpeg vulnerabilities
== Ubuntu Security Notice USN-6449-1 October 24, 2023 ffmpeg vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 20.04 LTS (Available with Ubuntu Pro) - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in FFmpeg. Software Description: - ffmpeg: Tools for transcoding, streaming and playing of multimedia files Details: It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22038) It was discovered that FFmpeg incorrectly handled certain input files, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-20898, CVE-2021-38090, CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094) It was discovered that FFmpeg incorrectly managed memory, resulting in a memory leak. If a user or automated system were tricked into processing a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2022-48434) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS (Available with Ubuntu Pro): ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec-extra7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavcodec587:4.4.2-0ubuntu0.22.04.1+esm2 libavdevice58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter-extra 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter-extra7 7:4.4.2-0ubuntu0.22.04.1+esm2 libavfilter77:4.4.2-0ubuntu0.22.04.1+esm2 libavformat-extra 7:4.4.2-0ubuntu0.22.04.1+esm2 libavformat-extra58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavformat58 7:4.4.2-0ubuntu0.22.04.1+esm2 libavutil56 7:4.4.2-0ubuntu0.22.04.1+esm2 libpostproc55 7:4.4.2-0ubuntu0.22.04.1+esm2 libswresample3 7:4.4.2-0ubuntu0.22.04.1+esm2 libswscale-dev 7:4.4.2-0ubuntu0.22.04.1+esm2 libswscale5 7:4.4.2-0ubuntu0.22.04.1+esm2 Ubuntu 20.04 LTS (Available with Ubuntu Pro): ffmpeg 7:4.2.7-0ubuntu0.1+esm3 libavcodec-extra7:4.2.7-0ubuntu0.1+esm3 libavcodec-extra58 7:4.2.7-0ubuntu0.1+esm3 libavcodec587:4.2.7-0ubuntu0.1+esm3 libavdevice58 7:4.2.7-0ubuntu0.1+esm3 libavfilter-extra 7:4.2.7-0ubuntu0.1+esm3 libavfilter-extra7 7:4.2.7-0ubuntu0.1+esm3 libavfilter77:4.2.7-0ubuntu0.1+esm3 libavformat58 7:4.2.7-0ubuntu0.1+esm3 libavresample4 7:4.2.7-0ubuntu0.1+esm3 libavutil56 7:4.2.7-0ubuntu0.1+esm3 libpostproc55 7:4.2.7-0ubuntu0.1+esm3 libswresample3 7:4.2.7-0ubuntu0.1+esm3 libswscale5 7:4.2.7-0ubuntu0.1+esm3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): ffmpeg 7:3.4.11-0ubuntu0.1+esm3 libavcodec-extra7:3.4.11-0ubuntu0.1+esm3 libavcodec-extra57 7:3.4.11-0ubuntu0.1+esm3 libavcodec577:3.4.11-0ubuntu0.1+esm3 libavdevice57 7:3.4.11-0ubuntu0.1+esm3 libavfilter-extra 7:3.4.11-0ubuntu0.1+esm3 libavfilter-extra6 7:3.4.11-0ubuntu0.1+esm3 libavfilter67:3.4.11-0ubuntu0.1+esm3 libavformat57 7:3.4.11-0ubuntu0.1+esm3 libavresample3 7:3.4.11-0ubuntu0.1+esm3 libavutil55 7:3.4.11-0ubuntu0.1+esm3 libpostproc54 7:3.4.11-0ubuntu0.1+esm3 libswresample2 7:3.4.11-0ubuntu0.1+esm3 libswscale4 7:3.4.11-0ubuntu0.1+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6449-1 CVE-2020-20898, CVE-2020-22038, CVE-2021-38090, CVE-2021-38091, CVE-2021-38092, CVE-2021-38093, CVE-2021-38094, CVE-2022-48434 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6422-2] Ring vulnerabilities
== Ubuntu Security Notice USN-6422-2 October 24, 2023 ring vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: Several security issues were fixed in Ring. Software Description: - ring: Secure and distributed voice, video, and chat platform Details: It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2021-37706) It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-27585) Original advisory details: It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2021-37706) It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031, CVE-2022-39244) It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722) It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-27585) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: jami20230206.0~ds2-1.3ubuntu0.1 jami-daemon 20230206.0~ds2-1.3ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6422-2 https://ubuntu.com/security/notices/USN-6422-1 CVE-2021-37706, CVE-2023-27585 Package Information: https://launchpad.net/ubuntu/+source/ring/20230206.0~ds2-1.3ubuntu0.1 OpenPGP_0x56383E35D153B8B2.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6448-1] Sofia-SIP vulnerability
== Ubuntu Security Notice USN-6448-1 October 24, 2023 sofia-sip vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Sofia-SIP could be made to crash or run programs if it received specially crafted network traffic. Software Description: - sofia-sip: Sofia-SIP library development files Details: Xu Biang discovered that Sofia-SIP did not properly manage memory when handling STUN packets. An attacker could use this issue to cause Sofia-SIP to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libsofia-sip-ua-glib3 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.10.1 libsofia-sip-ua0 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.10.1 sofia-sip-bin 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.10.1 Ubuntu 23.04: libsofia-sip-ua-glib3 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.04.1 libsofia-sip-ua0 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.04.1 sofia-sip-bin 1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.04.1 Ubuntu 22.04 LTS: libsofia-sip-ua-glib3 1.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.2 libsofia-sip-ua01.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.2 sofia-sip-bin 1.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.2 Ubuntu 20.04 LTS: libsofia-sip-ua-glib3 1.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.2 libsofia-sip-ua01.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.2 sofia-sip-bin 1.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libsofia-sip-ua-glib3 1.12.11+20110422.1-2.1+deb10u3ubuntu0.18.04.1~esm1 libsofia-sip-ua0 1.12.11+20110422.1-2.1+deb10u3ubuntu0.18.04.1~esm1 sofia-sip-bin 1.12.11+20110422.1-2.1+deb10u3ubuntu0.18.04.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libsofia-sip-ua-glib3 1.12.11+20110422.1-2.1+deb10u3ubuntu0.16.04.1~esm2 libsofia-sip-ua0 1.12.11+20110422.1-2.1+deb10u3ubuntu0.16.04.1~esm2 sofia-sip-bin 1.12.11+20110422.1-2.1+deb10u3ubuntu0.16.04.1~esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6448-1 CVE-2023-32307 Package Information: https://launchpad.net/ubuntu/+source/sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.10.1 https://launchpad.net/ubuntu/+source/sofia-sip/1.12.11+20110422.1+1e14eea~dfsg-4ubuntu1.23.04.1 https://launchpad.net/ubuntu/+source/sofia-sip/1.12.11+20110422.1-2.1+deb10u3ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/sofia-sip/1.12.11+20110422.1-2.1+deb10u3ubuntu0.20.04.2 OpenPGP_signature.asc Description: OpenPGP digital signature