[USN-6777-3] Linux kernel (GCP) vulnerabilities
== Ubuntu Security Notice USN-6777-3 May 21, 2024 linux-gcp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Block layer subsystem; - Userspace I/O drivers; - Ceph distributed file system; - Ext4 file system; - JFS file system; - NILFS2 file system; - Bluetooth subsystem; - Networking core; - IPv4 networking; - IPv6 networking; - Logical Link layer; - MAC80211 subsystem; - Netlink; - NFC subsystem; - Tomoyo security module; (CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439, CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704, CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622, CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS linux-image-4.15.0-1162-gcp 4.15.0-1162.179~16.04.1 Available with Ubuntu Pro linux-image-gcp 4.15.0.1162.179~16.04.1 Available with Ubuntu Pro linux-image-gke 4.15.0.1162.179~16.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6777-3 https://ubuntu.com/security/notices/USN-6777-1 CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524, CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601, CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622, CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801, CVE-2024-26805 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6775-2] Linux kernel vulnerabilities
== Ubuntu Security Notice USN-6775-2 May 21, 2024 linux-aws, linux-aws-5.15, linux-gke vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gke: Linux kernel for Google Container Engine (GKE) systems - linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems Details: Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MAC80211 subsystem; - Tomoyo security module; (CVE-2024-26622, CVE-2023-52530) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-1059-gke 5.15.0-1059.64 linux-image-5.15.0-1062-aws 5.15.0-1062.68 linux-image-aws-lts-22.04 5.15.0.1062.62 linux-image-gke 5.15.0.1059.58 linux-image-gke-5.155.15.0.1059.58 Ubuntu 20.04 LTS linux-image-5.15.0-1062-aws 5.15.0-1062.68~20.04.1 linux-image-aws 5.15.0.1062.68~20.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6775-2 https://ubuntu.com/security/notices/USN-6775-1 CVE-2023-47233, CVE-2023-52530, CVE-2024-26622 Package Information: https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1062.68 https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1059.64 https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1062.68~20.04.1 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6780-1] idna vulnerability
== Ubuntu Security Notice USN-6780-1 May 21, 2024 python-idna vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: idna could be made to consume significant resources if it receives a specially crafted input. Software Description: - python-idna: Python IDNA2008 (RFC 5891) handling Details: Guido Vranken discovered that idna did not properly manage certain inputs, which could lead to significant resource consumption. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-idna 3.6-2ubuntu0.1 Ubuntu 23.10 python3-idna 3.3-2ubuntu0.1 Ubuntu 22.04 LTS python3-idna 3.3-1ubuntu0.1 Ubuntu 20.04 LTS python-idna 2.8-1ubuntu0.1 python3-idna 2.8-1ubuntu0.1 Ubuntu 18.04 LTS pypy-idna 2.6-1ubuntu0.1~esm1 Available with Ubuntu Pro python-idna 2.6-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-idna 2.6-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS pypy-idna 2.0-3ubuntu0.1~esm1 Available with Ubuntu Pro python-idna 2.0-3ubuntu0.1~esm1 Available with Ubuntu Pro python3-idna 2.0-3ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6780-1 CVE-2024-3651 Package Information: https://launchpad.net/ubuntu/+source/python-idna/3.6-2ubuntu0.1 https://launchpad.net/ubuntu/+source/python-idna/3.3-2ubuntu0.1 https://launchpad.net/ubuntu/+source/python-idna/3.3-1ubuntu0.1 https://launchpad.net/ubuntu/+source/python-idna/2.8-1ubuntu0.1 OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6781-1] Spreadsheet::ParseExcel vulnerability
== Ubuntu Security Notice USN-6781-1 May 21, 2024 libspreadsheet-parseexcel-perl vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Spreadsheet::ParseExcel could possibly run commands if it processed a specially crafted file. Software Description: - libspreadsheet-parseexcel-perl: Perl module to access information from Excel Spreadsheets Details: Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated input from a file into a string-type "eval". An attacker could craft a malicious file to achieve arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libspreadsheet-parseexcel-perl 0.6500-1.1ubuntu0.1 Ubuntu 20.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.20.04.1 Ubuntu 18.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.18.04.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.16.04.1~esm1 Available with Ubuntu Pro Ubuntu 14.04 LTS libspreadsheet-parseexcel-perl 0.5800-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6781-1 CVE-2023-7101 Package Information: https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1.1ubuntu0.1 https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1ubuntu0.20.04.1 OpenPGP_0x703AAD91046CD76E.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6779-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6779-1 May 21, 2024 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 126.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6779-1 CVE-2024-4367, CVE-2024-4764, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778 Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature