[USN-6608-1] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6608-1 January 25, 2024 linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-laptop: Linux kernel for Lenovo X13s ARM laptops - linux-lowlatency: Linux low latency kernel - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-starfive: Linux kernel for StarFive processors - linux-aws-6.2: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-6.2: Linux kernel for Microsoft Azure cloud systems - linux-azure-fde-6.2: Linux kernel for Microsoft Azure CVM cloud systems - linux-hwe-6.5: Linux hardware enablement (HWE) kernel - linux-lowlatency-hwe-6.5: Linux low latency kernel - linux-oem-6.5: Linux kernel for OEM systems Details: It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6817) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly check deactivated elements in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-0193) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: linux-image-6.5.0-1006-starfive 6.5.0-1006.7 linux-image-6.5.0-1008-laptop 6.5.0-1008.11 linux-image-6.5.0-1009-raspi6.5.0-1009.12 linux-image-6.5.0-1011-azure6.5.0-1011.11 linux-image-6.5.0-1011-azure-fde 6.5.0-1011.11 linux-image-6.5.0-1011-gcp 6.5.0-1011.11 linux-image-6.5.0-1012-aws 6.5.0-1012.12 linux-image-6.5.0-1014-oracle 6.5.0-1014.14 linux-image-6.5.0-15-generic6.5.0-15.15 linux-image-6.5.0-15-generic-64k 6.5.0-15.15 linux-image-6.5.0-15-lowlatency 6.5.0-15.15.1 linux-image-6.5.0-15-lowlatency-64k 6.5.0-15.15.1 linux-image-aws 6.5.0.1012.12 linux-image-azure 6.5.0.1011.13 linux-image-azure-fde 6.5.0.1011.13 linux-image-gcp 6.5.0.1011.11 linux-image-generic 6.5.0.15.17 linux-image-generic-64k 6.5.0.15.17 linux-image-generic-lpae6.5.0.15.17 linux-image-kvm 6.5.0.15.17 linux-image-laptop-23.106.5.0.1008.11 linux-image-lowlatency 6.5.0.15.15.13 linux-image-lowlatency-64k 6.5.0.15.15.13 linux-image-oracle 6.5.0.1014.14 linux-image-raspi 6.5.0.1009.10 linux-image-raspi-nolpae6.5.0.1009.10 linux-image-starfive6.5.0.1006.8 linux-image-virtual 6.5.0.15.17 Ubuntu 22.04 LTS: linux-image-6.2.0-1018-aws 6.2.0-1018.18~22.04.1 linux-image-6.2.0-1019-azure6.2.0-1019.19~22.04.1 linux-image-6.2.0-1019-azure-fde 6.2.0-1019.19~22.04.1.1 linux-image-6.5.0-1013-oem 6.5.0-1013.14 linux-image-6.5.0-15-generic6.5.0-15.15~22.04.1 linux-image-6.5.0-15-generic-64k 6.5.0-15.15~22.04.1 linux-image-6.5.0-15-lowlatency 6.5.
[USN-6609-1] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6609-1 January 26, 2024 linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gke: Linux kernel for Google Container Engine (GKE) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-raspi: Linux kernel for Raspberry Pi systems - linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems - linux-hwe-5.15: Linux hardware enablement (HWE) kernel - linux-ibm-5.15: Linux kernel for IBM cloud systems - linux-lowlatency-hwe-5.15: Linux low latency kernel Details: Lin Ma discovered that the netfilter subsystem in the Linux kernel did not properly validate network family support while creating a new netfilter table. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2023-6040) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6817) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly check deactivated elements in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-0193) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: linux-image-5.15.0-1035-gkeop 5.15.0-1035.41 linux-image-5.15.0-1045-ibm 5.15.0-1045.48 linux-image-5.15.0-1045-raspi 5.15.0-1045.48 linux-image-5.15.0-1049-gcp 5.15.0-1049.57 linux-image-5.15.0-1049-gke 5.15.0-1049.54 linux-image-5.15.0-1049-kvm 5.15.0-1049.54 linux-image-5.15.0-1052-aws 5.15.0-1052.57 linux-image-5.15.0-92-generic 5.15.0-92.102 linux-image-5.15.0-92-generic-64k 5.15.0-92.102 linux-image-5.15.0-92-generic-lpae 5.15.0-92.102 linux-image-aws-lts-22.04 5.15.0.1052.51 linux-image-gcp-lts-22.04 5.15.0.1049.45 linux-image-generic 5.15.0.92.89 linux-image-generic-64k 5.15.0.92.89 linux-image-generic-lpae5.15.0.92.89 linux-image-gke 5.15.0.1049.48 linux-image-gke-5.155.15.0.1049.48 linux-image-gkeop 5.15.0.1035.34 linux-image-gkeop-5.15 5.15.0.1035.34 linux-image-ibm 5.15.0.1045.41 linux-image-kvm 5.15.0.1049.45 linux-image-raspi 5.15.0.1045.43 linux-image-raspi-nolpae5.15.0.1045.43 linux-image-virtual 5.15.0.92.89 Ubuntu 20.04 LTS: linux-image-5.15.0-1035-gkeop 5.15.0-1035.41~20.04.1 linux-image-5.15.0-1045-ibm 5.15.0-1045.48~20.04.1 linux-image-5.15.0-1049-gcp 5.15.0-1049.57~20.04.1 linux-image-5.15.0-1052-aws 5.15.0-1052.57~20.04.1 linux-image-5.15.0-92-generic 5.15.0-92.102~20.04.1 linux-image-5.15.0-92-gener
[USN-6607-1] Linux kernel (Azure) vulnerabilities
== Ubuntu Security Notice USN-6607-1 January 25, 2024 linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems - linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems Details: It was discovered that the SMB network file sharing protocol implementation in the Linux kernel did not properly handle certain error conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-5345) Lin Ma discovered that the netfilter subsystem in the Linux kernel did not properly validate network family support while creating a new netfilter table. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2023-6040) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6817) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly check deactivated elements in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-0193) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: linux-image-5.15.0-1054-azure 5.15.0-1054.62 linux-image-5.15.0-1054-azure-fde 5.15.0-1054.62.1 linux-image-azure-fde-lts-22.04 5.15.0.1054.62.32 linux-image-azure-lts-22.04 5.15.0.1054.50 Ubuntu 20.04 LTS: linux-image-5.15.0-1054-azure 5.15.0-1054.62~20.04.1 linux-image-5.15.0-1054-azure-fde 5.15.0-1054.62~20.04.1.1 linux-image-azure 5.15.0.1054.62~20.04.43 linux-image-azure-cvm 5.15.0.1054.62~20.04.43 linux-image-azure-fde 5.15.0.1054.62~20.04.1.32 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6607-1 CVE-2023-5345, CVE-2023-6040, CVE-2023-6606, CVE-2023-6817, CVE-2023-6931, CVE-2023-6932, CVE-2024-0193 Package Information: https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1054.62 https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1054.62.1 https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1054.62~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1054.62~20.04.1.1 OpenPGP_signature.asc Description: OpenPGP digital signature
23.04 (Lunar Lobster) reached End of Life on January 25, 2024
This is a follow-up to the End of Life warning sent earlier to confirm that as of January 25, 2024, Ubuntu 23.04 is no longer supported. No more package updates will be accepted to 23.04, and it will be archived to old-releases.ubuntu.com in the coming weeks. Additionally, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 23.04. The supported upgrade path from Ubuntu 23.04 is via Ubuntu 23.10. Instructions and caveats for the upgrade may be found at: https://help.ubuntu.com/community/ManticUpgrades Ubuntu 23.10 continues to be actively supported with security updates and select high-impact bug fixes. Announcements of security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce Since its launch in October 2004 Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customise or alter their software in order to meet their needs. On behalf of the Ubuntu Release Team, -- Brian Murray
[USN-6606-1] Linux kernel (OEM) vulnerabilities
== Ubuntu Security Notice USN-6606-1 January 25, 2024 linux-oem-6.1 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-oem-6.1: Linux kernel for OEM systems Details: It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51779) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6817) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) Kevin Rich discovered that the netfilter subsystem in the Linux kernel did not properly check deactivated elements in certain situations, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-0193) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: linux-image-6.1.0-1029-oem 6.1.0-1029.29 linux-image-oem-22.04 6.1.0.1029.30 linux-image-oem-22.04a 6.1.0.1029.30 linux-image-oem-22.04b 6.1.0.1029.30 linux-image-oem-22.04c 6.1.0.1029.30 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6606-1 CVE-2023-51779, CVE-2023-6606, CVE-2023-6817, CVE-2023-6931, CVE-2024-0193 Package Information: https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1029.29 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6604-1] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6604-1 January 25, 2024 linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems - linux-kvm: Linux kernel for cloud environments - linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe: Linux hardware enablement (HWE) kernel - linux-oracle: Linux kernel for Oracle Cloud systems Details: It was discovered that the ASUS HID driver in the Linux kernel did not properly handle device removal, leading to a use-after-free vulnerability. A local attacker with physical access could plug in a specially crafted USB device to cause a denial of service (system crash). (CVE-2023-1079) Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and Oleksii Oleksenko discovered that some AMD processors could leak stale data from division operations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2023-20588) It was discovered that a race condition existed in the Linux kernel when performing operations with kernel objects, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2023-45863) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): linux-image-4.15.0-1148-kvm 4.15.0-1148.153 linux-image-4.15.0-1158-gcp 4.15.0-1158.175 linux-image-4.15.0-1164-aws 4.15.0-1164.177 linux-image-4.15.0-221-generic 4.15.0-221.232 linux-image-4.15.0-221-lowlatency 4.15.0-221.232 linux-image-aws-lts-18.04 4.15.0.1164.162 linux-image-gcp-lts-18.04 4.15.0.1158.172 linux-image-generic 4.15.0.221.205 linux-image-kvm 4.15.0.1148.139 linux-image-lowlatency 4.15.0.221.205 linux-image-virtual 4.15.0.221.205 Ubuntu 16.04 LTS (Available with Ubuntu Pro): linux-image-4.15.0-1127-oracle 4.15.0-1127.138~16.04.1 linux-image-4.15.0-1158-gcp 4.15.0-1158.175~16.04.1 linux-image-4.15.0-1164-aws 4.15.0-1164.177~16.04.1 linux-image-4.15.0-221-generic 4.15.0-221.232~16.04.1 linux-image-4.15.0-221-lowlatency 4.15.0-221.232~16.04.1 linux-image-aws-hwe 4.15.0.1164.147 linux-image-gcp 4.15.0.1158.148 linux-image-generic-hwe-16.04 4.15.0.221.5 linux-image-gke 4.15.0.1158.148 linux-image-lowlatency-hwe-16.04 4.15.0.221.5 linux-image-oem 4.15.0.221.5 linux-image-oracle 4.15.0.1127.108 linux-image-virtual-hwe-16.04 4.15.0.221.5 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6604-1 CVE-2023-1079, CVE-2023-20588, CVE-2023-45863, CVE-2023-6606, CVE-2023-6931, CVE-2
[USN-6605-1] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6605-1 January 25, 2024 linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-gkeop: Linux kernel for Google Container Engine (GKE) systems - linux-ibm: Linux kernel for IBM cloud systems - linux-iot: Linux kernel for IoT platforms - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors - linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems - linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe-5.4: Linux hardware enablement (HWE) kernel - linux-ibm-5.4: Linux kernel for IBM cloud systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Details: Lin Ma discovered that the netfilter subsystem in the Linux kernel did not properly validate network family support while creating a new netfilter table. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2023-6040) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: linux-image-5.4.0-1029-iot 5.4.0-1029.30 linux-image-5.4.0-1036-xilinx-zynqmp 5.4.0-1036.40 linux-image-5.4.0-1064-ibm 5.4.0-1064.69 linux-image-5.4.0-1077-bluefield 5.4.0-1077.83 linux-image-5.4.0-1084-gkeop5.4.0-1084.88 linux-image-5.4.0-1101-raspi5.4.0-1101.113 linux-image-5.4.0-1116-oracle 5.4.0-1116.125 linux-image-5.4.0-1117-aws 5.4.0-1117.127 linux-image-5.4.0-1121-gcp 5.4.0-1121.130 linux-image-5.4.0-1122-azure5.4.0-1122.129 linux-image-5.4.0-170-generic 5.4.0-170.188 linux-image-5.4.0-170-generic-lpae 5.4.0-170.188 linux-image-5.4.0-170-lowlatency 5.4.0-170.188 linux-image-aws-lts-20.04 5.4.0.1117.114 linux-image-azure-lts-20.04 5.4.0.1122.115 linux-image-bluefield 5.4.0.1077.72 linux-image-gcp-lts-20.04 5.4.0.1121.123 linux-image-generic 5.4.0.170.168 linux-image-generic-lpae5.4.0.170.168 linux-image-gkeop 5.4.0.1084.82 linux-image-gkeop-5.4 5.4.0.1084.82 linux-image-ibm-lts-20.04 5.4.0.1064.93 linux-image-lowlatency 5.4.0.170.168 linux-image-oem 5.4.0.170.168 linux-image-oem-osp15.4.0.170.168 linux-image-oracle-lts-20.045.4.0.1116.109 linux-image-raspi 5.4.0.1101.131 linux-image-raspi2 5.4.0.1101.131 linux-image-virtual 5.4.0.170.168 linux-image-xilinx-zynqmp 5.4.0.1036.36 Ubuntu 18.04 LTS (Available with Ubuntu Pro): linux-image-5.4.0-1064-ibm 5.4.0-1064.69~18.04.1 linux-image-5.4.0-1101-raspi5.4.0-1101.113~18.04.1 linux-image-5.4.0-1116-oracle 5.4.0-1116.125~18.04.1 linux-image-5.4.0-1117-aws 5.4.0-1117.127~18.04.1 linux-image-5.4.0-1121-gcp 5.4.0-1121.130~18.04.1 linux-image-5.4.0-1122-azure
[USN-6603-1] Linux kernel (AWS) vulnerabilities
== Ubuntu Security Notice USN-6603-1 January 25, 2024 linux-aws vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws: Linux kernel for Amazon Web Services (AWS) systems Details: It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS (Available with Ubuntu Pro): linux-image-4.4.0-1165-aws 4.4.0-1165.180 linux-image-aws 4.4.0.1165.169 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6603-1 CVE-2023-6606, CVE-2023-6931, CVE-2023-6932 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6602-1] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6602-1 January 25, 2024 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-kvm: Linux kernel for cloud environments - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Details: Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Kopf, and Oleksii Oleksenko discovered that some AMD processors could leak stale data from division operations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2023-20588) It was discovered that a race condition existed in the Linux kernel when performing operations with kernel objects, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2023-45863) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate the server frame size in certain situation, leading to an out-of-bounds read vulnerability. An attacker could use this to construct a malicious CIFS image that, when operated on, could cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6606) Budimir Markovic, Lucas De Marchi, and Pengfei Xu discovered that the perf subsystem in the Linux kernel did not properly validate all event sizes when attaching new events, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6931) It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-6932) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS (Available with Ubuntu Pro): linux-image-4.4.0-1128-kvm 4.4.0-1128.138 linux-image-4.4.0-250-generic 4.4.0-250.284 linux-image-4.4.0-250-lowlatency 4.4.0-250.284 linux-image-generic 4.4.0.250.256 linux-image-generic-lts-xenial 4.4.0.250.256 linux-image-kvm 4.4.0.1128.125 linux-image-lowlatency 4.4.0.250.256 linux-image-lowlatency-lts-xenial 4.4.0.250.256 linux-image-virtual 4.4.0.250.256 linux-image-virtual-lts-xenial 4.4.0.250.256 Ubuntu 14.04 LTS (Available with Ubuntu Pro): linux-image-4.4.0-1127-aws 4.4.0-1127.133 linux-image-4.4.0-250-generic 4.4.0-250.284~14.04.1 linux-image-4.4.0-250-lowlatency 4.4.0-250.284~14.04.1 linux-image-aws 4.4.0.1127.124 linux-image-generic-lts-xenial 4.4.0.250.217 linux-image-lowlatency-lts-xenial 4.4.0.250.217 linux-image-virtual-lts-xenial 4.4.0.250.217 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6602-1 CVE-2023-20588, CVE-2023-45863, CVE-2023-6606, CVE-2023-6931, CVE-2023-6932 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6601-1] Linux kernel vulnerability
== Ubuntu Security Notice USN-6601-1 January 25, 2024 linux vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: The system could be made to crash or run programs as an administrator. Software Description: - linux: Linux kernel Details: It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS (Available with Ubuntu Pro): linux-image-3.13.0-195-generic 3.13.0-195.246 linux-image-3.13.0-195-lowlatency 3.13.0-195.246 linux-image-generic 3.13.0.195.205 linux-image-generic-lts-trusty 3.13.0.195.205 linux-image-lowlatency 3.13.0.195.205 linux-image-server 3.13.0.195.205 linux-image-virtual 3.13.0.195.205 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6601-1 CVE-2023-6932 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6600-1] MariaDB vulnerabilities
== Ubuntu Security Notice USN-6600-1 January 25, 2024 mariadb, mariadb-10.3, mariadb-10.6 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in MariaDB. Software Description: - mariadb: MariaDB database - mariadb-10.6: MariaDB database - mariadb-10.3: MariaDB database Details: Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.39 in Ubuntu 20.04 LTS, 10.6.16 in Ubuntu 22.04 LTS and 10.11.6 in Ubuntu 23.10. CVE-2022-47015 only affected the MariaDB packages in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: mariadb-server 1:10.11.6-0ubuntu0.23.10.2 Ubuntu 22.04 LTS: mariadb-server 1:10.6.16-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: mariadb-server 1:10.3.39-0ubuntu0.20.04.2 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6600-1 CVE-2022-47015, CVE-2023-22084 Package Information: https://launchpad.net/ubuntu/+source/mariadb/1:10.11.6-0ubuntu0.23.10.2 https://launchpad.net/ubuntu/+source/mariadb-10.6/1:10.6.16-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/mariadb-10.3/1:10.3.39-0ubuntu0.20.04.2 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6599-1] Jinja2 vulnerabilities
== Ubuntu Security Notice USN-6599-1 January 25, 2024 jinja2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in jinja2. Software Description: - jinja2: documentation for the Jinja2 Python library Details: Yeting Li discovered that Jinja incorrectly handled certain regex. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28493) It was discovered that Jinja incorrectly handled certain HTML passed with xmlatter filter. An attacker could inject arbitrary HTML attributes keys and values potentially leading to XSS. (CVE-2024-22195) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: python3-jinja2 3.1.2-1ubuntu0.23.10.1 Ubuntu 22.04 LTS: python3-jinja2 3.0.3-1ubuntu0.1 Ubuntu 20.04 LTS: python-jinja2 2.10.1-2ubuntu0.2 python3-jinja2 2.10.1-2ubuntu0.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): python-jinja2 2.10-1ubuntu0.18.04.1+esm1 python3-jinja2 2.10-1ubuntu0.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): python-jinja2 2.8-1ubuntu0.1+esm2 python3-jinja2 2.8-1ubuntu0.1+esm2 Ubuntu 14.04 LTS (Available with Ubuntu Pro): python-jinja2 2.7.2-2ubuntu0.1~esm2 python3-jinja2 2.7.2-2ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6599-1 CVE-2020-28493, CVE-2024-22195 Package Information: https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.1 https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.2 signature.asc Description: PGP signature
[USN-6597-1] Puma vulnerability
== Ubuntu Security Notice USN-6597-1 January 25, 2024 puma vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 Summary: Puma could be made to consume resources if it received specially crafted network traffic. Software Description: - puma: threaded HTTP 1.1 server for Ruby/Rack applications Details: It was discovered that Puma incorrectly handled parsing chunked transfer encoding bodies. A remote attacker could possibly use this issue to cause Puma to consume resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: puma5.6.5-4ubuntu2.1 Ubuntu 23.04: puma5.6.5-3ubuntu1.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6597-1 CVE-2024-21647 Package Information: https://launchpad.net/ubuntu/+source/puma/5.6.5-4ubuntu2.1 https://launchpad.net/ubuntu/+source/puma/5.6.5-3ubuntu1.2 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6598-1] Paramiko vulnerability
== Ubuntu Security Notice USN-6598-1 January 25, 2024 paramiko vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: A protocol flaw was fixed in Paramiko. Software Description: - paramiko: Python SSH2 library Details: Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: python3-paramiko2.12.0-2ubuntu1.23.10.2 Ubuntu 22.04 LTS: python3-paramiko2.9.3-0ubuntu1.2 Ubuntu 20.04 LTS: python3-paramiko2.6.0-2ubuntu0.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6598-1 CVE-2023-48795 Package Information: https://launchpad.net/ubuntu/+source/paramiko/2.12.0-2ubuntu1.23.10.2 https://launchpad.net/ubuntu/+source/paramiko/2.9.3-0ubuntu1.2 https://launchpad.net/ubuntu/+source/paramiko/2.6.0-2ubuntu0.3 OpenPGP_signature.asc Description: OpenPGP digital signature
