[USN-6490-1] WebKitGTK vulnerabilities
== Ubuntu Security Notice USN-6490-1 November 20, 2023 webkit2gtk vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in WebKitGTK. Software Description: - webkit2gtk: Web content engine library for GTK+ Details: Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libjavascriptcoregtk-4.0-18 2.42.2-0ubuntu0.23.10.1 libjavascriptcoregtk-4.1-0 2.42.2-0ubuntu0.23.10.1 libjavascriptcoregtk-6.0-1 2.42.2-0ubuntu0.23.10.1 libwebkit2gtk-4.0-372.42.2-0ubuntu0.23.10.1 libwebkit2gtk-4.1-0 2.42.2-0ubuntu0.23.10.1 libwebkitgtk-6.0-4 2.42.2-0ubuntu0.23.10.1 Ubuntu 23.04: libjavascriptcoregtk-4.0-18 2.42.2-0ubuntu0.23.04.1 libjavascriptcoregtk-4.1-0 2.42.2-0ubuntu0.23.04.1 libjavascriptcoregtk-6.0-1 2.42.2-0ubuntu0.23.04.1 libwebkit2gtk-4.0-372.42.2-0ubuntu0.23.04.1 libwebkit2gtk-4.1-0 2.42.2-0ubuntu0.23.04.1 libwebkitgtk-6.0-4 2.42.2-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: libjavascriptcoregtk-4.0-18 2.42.2-0ubuntu0.22.04.1 libjavascriptcoregtk-4.1-0 2.42.2-0ubuntu0.22.04.1 libjavascriptcoregtk-6.0-1 2.42.2-0ubuntu0.22.04.1 libwebkit2gtk-4.0-372.42.2-0ubuntu0.22.04.1 libwebkit2gtk-4.1-0 2.42.2-0ubuntu0.22.04.1 libwebkitgtk-6.0-4 2.42.2-0ubuntu0.22.04.1 libwebkitgtk-6.0-dev2.42.2-0ubuntu0.22.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK, such as Epiphany, to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6490-1 CVE-2023-41983, CVE-2023-42852 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.42.2-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.42.2-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/webkit2gtk/2.42.2-0ubuntu0.22.04.1 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6488-1] strongSwan vulnerability
== Ubuntu Security Notice USN-6488-1 November 20, 2023 strongswan vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: strongSwan could be made to crash or run programs if it received specially crafted network traffic. Software Description: - strongswan: IPsec VPN solution Details: Florian Picca discovered that strongSwan incorrectly handled certain DH public values. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libstrongswan 5.9.11-1ubuntu1.1 strongswan 5.9.11-1ubuntu1.1 Ubuntu 23.04: libstrongswan 5.9.8-3ubuntu4.1 strongswan 5.9.8-3ubuntu4.1 Ubuntu 22.04 LTS: libstrongswan 5.9.5-2ubuntu2.2 strongswan 5.9.5-2ubuntu2.2 Ubuntu 20.04 LTS: libstrongswan 5.8.2-1ubuntu3.6 strongswan 5.8.2-1ubuntu3.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6488-1 CVE-2023-41913 Package Information: https://launchpad.net/ubuntu/+source/strongswan/5.9.11-1ubuntu1.1 https://launchpad.net/ubuntu/+source/strongswan/5.9.8-3ubuntu4.1 https://launchpad.net/ubuntu/+source/strongswan/5.9.5-2ubuntu2.2 https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.6 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6489-1] Tang vulnerability
== Ubuntu Security Notice USN-6489-1 November 20, 2023 tang vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Tang could allow unintended access to secret keys. Software Description: - tang: network-based cryptographic binding server Details: Brian McDermott discovered that Tang incorrectly handled permissions when creating/rotating keys. A local attacker could possibly use this issue to read the keys. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: tang-common 11-2ubuntu0.1 Ubuntu 22.04 LTS: tang-common 11-1ubuntu0.1 Ubuntu 20.04 LTS: tang 7-1ubuntu0.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): tang 6-1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6489-1 CVE-2023-1672 Package Information: https://launchpad.net/ubuntu/+source/tang/11-2ubuntu0.1 https://launchpad.net/ubuntu/+source/tang/11-1ubuntu0.1 https://launchpad.net/ubuntu/+source/tang/7-1ubuntu0.2 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6487-1] Avahi vulnerabilities
== Ubuntu Security Notice USN-6487-1 November 20, 2023 avahi vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Avahi could be made to crash if it received specially crafted input. Software Description: - avahi: IPv4LL network address configuration daemon Details: Evgeny Vereshchagin discovered that Avahi contained several reachable assertions, which could lead to intentional assertion failures when specially crafted user input was given. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: avahi-daemon0.8-10ubuntu1.1 libavahi-client30.8-10ubuntu1.1 libavahi-common30.8-10ubuntu1.1 libavahi-core7 0.8-10ubuntu1.1 Ubuntu 23.04: avahi-daemon0.8-6ubuntu1.23.04.2 libavahi-client30.8-6ubuntu1.23.04.2 libavahi-common30.8-6ubuntu1.23.04.2 libavahi-core7 0.8-6ubuntu1.23.04.2 Ubuntu 22.04 LTS: avahi-daemon0.8-5ubuntu5.2 libavahi-client30.8-5ubuntu5.2 libavahi-common30.8-5ubuntu5.2 libavahi-core7 0.8-5ubuntu5.2 Ubuntu 20.04 LTS: avahi-daemon0.7-4ubuntu7.3 libavahi-client30.7-4ubuntu7.3 libavahi-common30.7-4ubuntu7.3 libavahi-core7 0.7-4ubuntu7.3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): avahi-daemon0.7-3.1ubuntu1.3+esm2 libavahi-client30.7-3.1ubuntu1.3+esm2 libavahi-common30.7-3.1ubuntu1.3+esm2 libavahi-core7 0.7-3.1ubuntu1.3+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): avahi-daemon0.6.32~rc+dfsg-1ubuntu2.3+esm3 libavahi-client30.6.32~rc+dfsg-1ubuntu2.3+esm3 libavahi-common30.6.32~rc+dfsg-1ubuntu2.3+esm3 libavahi-core7 0.6.32~rc+dfsg-1ubuntu2.3+esm3 Ubuntu 14.04 LTS (Available with Ubuntu Pro): avahi-daemon0.6.31-4ubuntu1.3+esm3 libavahi-client30.6.31-4ubuntu1.3+esm3 libavahi-common30.6.31-4ubuntu1.3+esm3 libavahi-core7 0.6.31-4ubuntu1.3+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6487-1 CVE-2023-38469, CVE-2023-38470, CVE-2023-38471, CVE-2023-38472, CVE-2023-38473 Package Information: https://launchpad.net/ubuntu/+source/avahi/0.8-10ubuntu1.1 https://launchpad.net/ubuntu/+source/avahi/0.8-6ubuntu1.23.04.2 https://launchpad.net/ubuntu/+source/avahi/0.8-5ubuntu5.2 https://launchpad.net/ubuntu/+source/avahi/0.7-4ubuntu7.3 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6486-1] iniParser vulnerability
== Ubuntu Security Notice USN-6486-1 November 20, 2023 iniparser vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: Iniparser could be made to crash if it received a specially crafted file. Software Description: - iniparser: development files for the iniParser INI file reader/writer Details: It was discovered that iniParser incorrectly handled certain files. An attacker could possibly use this issue to cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libiniparser1 4.1-6ubuntu0.23.10.1 Ubuntu 23.04: libiniparser1 4.1-6ubuntu0.23.04.1 Ubuntu 22.04 LTS: libiniparser1 4.1-4ubuntu4.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6486-1 CVE-2023-33461 Package Information: https://launchpad.net/ubuntu/+source/iniparser/4.1-6ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/iniparser/4.1-6ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/iniparser/4.1-4ubuntu4.1 signature.asc Description: PGP signature
