[USN-6856-1] FontForge vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6856-1
June 27, 2024

fontforge vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in FontForge.

Software Description:
- fontforge: Free (libre) font editor for Windows, Mac OS X and GNU+Linux

Details:

It was discovered that FontForge incorrectly handled filenames. If a user or an
automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a command injection.
(CVE-2024-25081)

It was discovered that FontForge incorrectly handled archives and compressed
files. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to perform
command injection. (CVE-2024-25082)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  fontforge   1:20230101~dfsg-1ubuntu0.1
  python3-fontforge   1:20230101~dfsg-1ubuntu0.1

Ubuntu 22.04 LTS
  fontforge   1:20201107~dfsg-4+deb11u1build0.22.04.1
  python3-fontforge   1:20201107~dfsg-4+deb11u1build0.22.04.1

Ubuntu 20.04 LTS
  fontforge   1:20190801~dfsg-4ubuntu0.1
  python3-fontforge   1:20190801~dfsg-4ubuntu0.1

Ubuntu 18.04 LTS
  fontforge   1:20170731~dfsg-1ubuntu0.1~esm1
  Available with Ubuntu Pro
  python-fontforge1:20170731~dfsg-1ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  fontforge   20120731.b-7.1ubuntu0.1+esm1
  Available with Ubuntu Pro
  python-fontforge20120731.b-7.1ubuntu0.1+esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6856-1
  CVE-2024-25081, CVE-2024-25082

Package Information:
  https://launchpad.net/ubuntu/+source/fontforge/1:20230101~dfsg-1ubuntu0.1

https://launchpad.net/ubuntu/+source/fontforge/1:20201107~dfsg-4+deb11u1build0.22.04.1
  https://launchpad.net/ubuntu/+source/fontforge/1:20190801~dfsg-4ubuntu0.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6846-1] Ansible vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6846-1
June 25, 2024

ansible vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Ansible.

Software Description:
- ansible: Configuration management, deployment, and task execution system

Details:

It was discovered that Ansible incorrectly handled certain inputs when using
tower_callback parameter. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3697)

It was discovered that Ansible incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a Template Injection.
(CVE-2023-5764)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  ansible 2.10.7+merged+base+2.10.8+dfsg-1ubuntu0.1~esm4
  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  ansible 2.9.6+dfsg-1ubuntu0.1~esm2
  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ansible 2.5.1+dfsg-1ubuntu0.1+esm2
  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  ansible 2.0.0.2-2ubuntu1.3+esm2
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6846-1
  CVE-2022-3697, CVE-2023-5764



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6845-1] Hibernate vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6845-1
June 24, 2024

libhibernate3-java vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Hibernate could be made to expose sensitive information.

Software Description:
- libhibernate3-java: Relational Persistence for Idiomatic Java

Details:

It was discovered that Hibernate incorrectly handled certain inputs with
unsanitized literals. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  libhibernate3-java  3.6.10.Final-9+deb10u1build0.20.04.1

Ubuntu 18.04 LTS
  libhibernate3-java  3.6.10.Final-9ubuntu0.18.04.1~esm1
  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libhibernate3-java  3.6.10.Final-4ubuntu0.1~esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6845-1
  CVE-2020-25638

Package Information:

https://launchpad.net/ubuntu/+source/libhibernate3-java/3.6.10.Final-9+deb10u1build0.20.04.1


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6822-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6822-1
June 10, 2024

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

It was discovered that Node.js incorrectly handled certain inputs when it is
using the policy mechanism. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to bypass the policy mechanism. (CVE-2023-32002, CVE-2023-32006)

It was discovered that Node.js incorrectly handled certain inputs when it is
using the policy mechanism. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a privilege escalation. (CVE-2023-32559)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  libnode108  18.13.0+dfsg1-1ubuntu2.3
  nodejs  18.13.0+dfsg1-1ubuntu2.3

Ubuntu 22.04 LTS
  libnode72   12.22.9~dfsg-1ubuntu3.6
  nodejs  12.22.9~dfsg-1ubuntu3.6

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6822-1
  CVE-2023-32002, CVE-2023-32006, CVE-2023-32559

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1ubuntu2.3
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.6


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6800-1] browserify-sign vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6800-1
May 30, 2024

node-browserify-sign vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

browserify-sign could allow unintended access if it opened a specially crafted
file.

Software Description:
- node-browserify-sign: createSign and createVerify in your browser

Details:

It was discovered that browserify-sign incorrectly handled an upper bound check
in signature verification. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a signature forgery attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  node-browserify-sign4.2.1-3ubuntu0.1

Ubuntu 22.04 LTS
  node-browserify-sign4.2.1-2ubuntu0.1

Ubuntu 20.04 LTS
  node-browserify-sign4.0.4-2ubuntu0.20.04.1

Ubuntu 18.04 LTS
  node-browserify-sign4.0.4-2ubuntu0.18.04.1~esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6800-1
  CVE-2023-46234

Package Information:
  https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-3ubuntu0.1
  https://launchpad.net/ubuntu/+source/node-browserify-sign/4.2.1-2ubuntu0.1
  
https://launchpad.net/ubuntu/+source/node-browserify-sign/4.0.4-2ubuntu0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6738-1] LXD vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6738-1
April 22, 2024

lxd vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

LXD could be made to bypass integrity checks if it received specially crafted
input.

Software Description:
- lxd: Container hypervisor based on LXC

Details:

Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that LXD
incorrectly handled the handshake phase and the use of sequence numbers in SSH
Binary Packet Protocol (BPP). If a user or an automated system were tricked
into opening a specially crafted input file, a remote attacker could possibly
use this issue to bypass integrity checks.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  lxd 3.0.3-0ubuntu1~18.04.2+esm1
  lxd-client  3.0.3-0ubuntu1~18.04.2+esm1
  lxd-tools   3.0.3-0ubuntu1~18.04.2+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  golang-github-lxc-lxd-dev   2.0.11-0ubuntu1~16.04.4+esm1
  lxc22.0.11-0ubuntu1~16.04.4+esm1
  lxd 2.0.11-0ubuntu1~16.04.4+esm1
  lxd-client  2.0.11-0ubuntu1~16.04.4+esm1
  lxd-tools   2.0.11-0ubuntu1~16.04.4+esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6738-1
  CVE-2023-48795


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6735-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6735-1
April 16, 2024

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

It was discovered that Node.js incorrectly handled the use of invalid public
keys while creating an x509 certificate. If a user or an automated system were
tricked into opening a specially crafted input file, a remote attacker could
possibly use this issue to cause a denial of service. This issue only affected
Ubuntu 23.10. (CVE-2023-30588)

It was discovered that Node.js incorrectly handled the use of CRLF sequences to
delimit HTTP requests. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to obtain unauthorised access. This issue only affected
Ubuntu 23.10. (CVE-2023-30589)

It was discovered that Node.js incorrectly described the generateKeys()
function in the documentation. This inconsistency could possibly lead to
security issues in applications that use these APIs.
(CVE-2023-30590)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  libnode-dev 18.13.0+dfsg1-1ubuntu2.2
  libnode108  18.13.0+dfsg1-1ubuntu2.2
  nodejs  18.13.0+dfsg1-1ubuntu2.2
  nodejs-doc  18.13.0+dfsg1-1ubuntu2.2

Ubuntu 22.04 LTS:
  libnode-dev 12.22.9~dfsg-1ubuntu3.5
  libnode72   12.22.9~dfsg-1ubuntu3.5
  nodejs  12.22.9~dfsg-1ubuntu3.5
  nodejs-doc  12.22.9~dfsg-1ubuntu3.5

Ubuntu 20.04 LTS:
  libnode-dev 10.19.0~dfsg-3ubuntu1.6
  libnode64   10.19.0~dfsg-3ubuntu1.6
  nodejs  10.19.0~dfsg-3ubuntu1.6
  nodejs-doc  10.19.0~dfsg-3ubuntu1.6

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  nodejs  8.10.0~dfsg-2ubuntu0.4+esm5
  nodejs-dev  8.10.0~dfsg-2ubuntu0.4+esm5
  nodejs-doc  8.10.0~dfsg-2ubuntu0.4+esm5

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  nodejs  4.2.6~dfsg-1ubuntu4.2+esm3
  nodejs-dev  4.2.6~dfsg-1ubuntu4.2+esm3
  nodejs-legacy   4.2.6~dfsg-1ubuntu4.2+esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
  nodejs  0.10.25~dfsg2-2ubuntu1.2+esm2
  nodejs-dev  0.10.25~dfsg2-2ubuntu1.2+esm2
  nodejs-legacy   0.10.25~dfsg2-2ubuntu1.2+esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6735-1
  CVE-2023-30588, CVE-2023-30589, CVE-2023-30590

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1ubuntu2.2
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.5
  https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.6


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6692-1] Gson vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6692-1
March 12, 2024

libgoogle-gson-java vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Gson could be made to crash if it opened a specially crafted
file.

Software Description:
- libgoogle-gson-java: A Java serialization/deserialization library to convert 
Java Objects into JSON and back


Details:

It was discovered that Gson incorrectly handled deserialization of untrusted
input data. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libgoogle-gson-java 2.8.8-1ubuntu0.1

Ubuntu 20.04 LTS:
  libgoogle-gson-java 2.8.5-3+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libgoogle-gson-java 2.8.5-3~18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libgoogle-gson-java 2.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6692-1
  CVE-2022-25647

Package Information:
  https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.8-1ubuntu0.1

https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.5-3+deb10u1build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6675-1] ImageProcessing vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6675-1
March 05, 2024

ruby-image-processing vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

ImageProcessing could be made to crash or run programs as an administrator
if it received specially crafted input.

Software Description:
- ruby-image-processing: High-level image processing wrapper for libvips and 
ImageMagick/GraphicsMagick


Details:

It was discovered that ImageProcessing incorrectly handled series of operations
that are coming from unsanitised inputs. If a user or an automated system were
tricked into opening a specially crafted input file, a remote attacker could
possibly use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  ruby-image-processing   1.10.3-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
  ruby-image-processing   1.10.3-1ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6675-1
  CVE-2022-24720

Package Information:

https://launchpad.net/ubuntu/+source/ruby-image-processing/1.10.3-1ubuntu0.22.04.1

https://launchpad.net/ubuntu/+source/ruby-image-processing/1.10.3-1ubuntu0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6672-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6672-1
March 04, 2024

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Morgan Jones discovered that Node.js incorrectly handled certain inputs that
leads to false positive errors during some cryptographic operations. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 23.10. (CVE-2023-23919)

It was discovered that Node.js incorrectly handled certain inputs leaded to a
untrusted search path vulnerability. If a user or an automated system were
tricked into opening a specially crafted input file, a remote attacker could
possibly use this issue to perform a privilege escalation. (CVE-2023-23920)

Matt Caswell discovered that Node.js incorrectly handled certain inputs with
specially crafted ASN.1 object identifiers or data containing them. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-2650)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  libnode108  18.13.0+dfsg1-1ubuntu2.1
  nodejs  18.13.0+dfsg1-1ubuntu2.1

Ubuntu 22.04 LTS:
  libnode72   12.22.9~dfsg-1ubuntu3.4
  nodejs  12.22.9~dfsg-1ubuntu3.4

Ubuntu 20.04 LTS:
  libnode64   10.19.0~dfsg-3ubuntu1.5
  nodejs  10.19.0~dfsg-3ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6672-1
  CVE-2023-23919, CVE-2023-23920, CVE-2023-2650

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.4
  https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.5



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6584-2] Libspf2 vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6584-2
February 21, 2024

libspf2 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Libspf2.

Software Description:
- libspf2: Sender Policy Framework for SMTP authorization

Details:

USN-6584-1 fixed several vulnerabilities in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. This update provides the corresponding updates for
CVE-2021-33912 and CVE-2021-33913 in Ubuntu 16.04 LTS.

We apologize for the inconvenience.

Original advisory details:

 Philipp Jeitner and Haya Shulman discovered that Libspf2 incorrectly handled
 certain inputs. If a user or an automated system were tricked into opening a
 specially crafted input file, a remote attacker could possibly use this issue
 to cause a denial of service or execute arbitrary code. (CVE-2021-20314)

 It was discovered that Libspf2 incorrectly handled certain inputs. If a user or
 an automated system were tricked into opening a specially crafted input file, a
 remote attacker could possibly use this issue to cause a denial of service or
 execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
 Ubuntu 20.04 LTS. (CVE-2021-33912, CVE-2021-33913)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libmail-spf-xs-perl 1.2.10-6ubuntu0.1~esm2
  libspf2-2   1.2.10-6ubuntu0.1~esm2
  libspf2-dev 1.2.10-6ubuntu0.1~esm2
  spfquery1.2.10-6ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6584-2
  https://ubuntu.com/security/notices/USN-6584-1
  CVE-2021-33912, CVE-2021-33913



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6596-1] Apache::Session::LDAP vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6596-1
January 24, 2024

libapache-session-ldap-perl vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Apache::Session::LDAP could be made to expose sensitive information through
spoofing if it received invalid X.509 certificate.

Software Description:
- libapache-session-ldap-perl: Apache::Session::LDAP Perl module - Store Apache 
Session in LDAP


Details:

It was discovered that Apache::Session::LDAP incorrectly handled invalid X.509
certificates. If a user or an automated system were tricked into opening a
specially crafted invalid X.509 certificate, a remote attacker could possibly
use this issue to perform spoofing and obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libapache-session-ldap-perl 0.4-1+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libapache-session-ldap-perl 0.4-1ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libapache-session-ldap-perl 0.4-1ubuntu0.16.04.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6596-1
  CVE-2020-36658

Package Information:

https://launchpad.net/ubuntu/+source/libapache-session-ldap-perl/0.4-1+deb10u1build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6584-1] Libspf2 vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6584-1
January 15, 2024

libspf2 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Libspf2.

Software Description:
- libspf2: Sender Policy Framework for SMTP authorization

Details:

Philipp Jeitner and Haya Shulman discovered that Libspf2 incorrectly handled
certain inputs. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2021-20314)

It was discovered that Libspf2 incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to cause a denial of service or
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-33912, CVE-2021-33913)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libmail-spf-xs-perl 1.2.10-7+deb9u2build0.20.04.1
  libspf2-2   1.2.10-7+deb9u2build0.20.04.1
  libspf2-dev 1.2.10-7+deb9u2build0.20.04.1
  spfquery1.2.10-7+deb9u2build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libmail-spf-xs-perl 1.2.10-7ubuntu0.18.04.1~esm1
  libspf2-2   1.2.10-7ubuntu0.18.04.1~esm1
  libspf2-dev 1.2.10-7ubuntu0.18.04.1~esm1
  spfquery1.2.10-7ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libmail-spf-xs-perl 1.2.10-6ubuntu0.1~esm1
  libspf2-2   1.2.10-6ubuntu0.1~esm1
  libspf2-dev 1.2.10-6ubuntu0.1~esm1
  spfquery1.2.10-6ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6584-1
  CVE-2021-20314, CVE-2021-33912, CVE-2021-33913

Package Information:
  https://launchpad.net/ubuntu/+source/libspf2/1.2.10-7+deb9u2build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6564-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6564-1
January 03, 2024

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Hubert Kario discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to obtain sensitive
information. (CVE-2022-4304)

CarpetFuzz, Dawei Wang discovered that Node.js incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-4450)

Octavio Galland and Marcel Böhme discovered that Node.js incorrectly handled
certain inputs. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service. (CVE-2023-0215)

David Benjamin discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to obtain sensitive
information. (CVE-2023-0286)

Hubert Kario and Dmitry Belyavsky discovered that Node.js incorrectly handled
certain inputs. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service. (CVE-2023-0401)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libnode-dev 12.22.9~dfsg-1ubuntu3.3
  libnode72   12.22.9~dfsg-1ubuntu3.3
  nodejs  12.22.9~dfsg-1ubuntu3.3

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6564-1
  CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286,
  CVE-2023-0401

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.3



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6542-1] TinyXML vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6542-1
December 07, 2023

tinyxml vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

TinyXML could be made to crash if it opened a specially crafted
file.

Software Description:
- tinyxml: A simple, small, minimal, C++ XML parser

Details:

Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libtinyxml-dev  2.6.2-4+deb10u1build0.20.04.1
  libtinyxml2.6.2v5   2.6.2-4+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libtinyxml-dev  2.6.2-4ubuntu0.18.04.1~esm1
  libtinyxml2.6.2v5   2.6.2-4ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libtinyxml-dev  2.6.2-3ubuntu0.1~esm1
  libtinyxml2.6.2v5   2.6.2-3ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6542-1
  CVE-2021-42260

Package Information:
  https://launchpad.net/ubuntu/+source/tinyxml/2.6.2-4+deb10u1build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6529-1] Request Tracker vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6529-1
December 04, 2023

request-tracker4 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Request Tracker.

Software Description:
- request-tracker4: An enterprise-grade issue tracking system

Details:

It was discovered that Request Tracker incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2021-38562, CVE-2022-25802, CVE-2023-41259,
CVE-2023-41260)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  request-tracker44.4.4+dfsg-2ubuntu1.23.10.1
  rt4-apache2 4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-clients 4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-db-mysql4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-db-postgresql   4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-db-sqlite   4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-fcgi4.4.4+dfsg-2ubuntu1.23.10.1
  rt4-standalone  4.4.4+dfsg-2ubuntu1.23.10.1

Ubuntu 23.04:
  request-tracker44.4.4+dfsg-2ubuntu1.23.04.1
  rt4-apache2 4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-clients 4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-db-mysql4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-db-postgresql   4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-db-sqlite   4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-fcgi4.4.4+dfsg-2ubuntu1.23.04.1
  rt4-standalone  4.4.4+dfsg-2ubuntu1.23.04.1

Ubuntu 22.04 LTS:
  request-tracker44.4.4+dfsg-2ubuntu1.22.04.1
  rt4-apache2 4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-clients 4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-db-mysql4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-db-postgresql   4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-db-sqlite   4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-fcgi4.4.4+dfsg-2ubuntu1.22.04.1
  rt4-standalone  4.4.4+dfsg-2ubuntu1.22.04.1

Ubuntu 20.04 LTS:
  request-tracker44.4.3-2+deb10u3build0.20.04.1
  rt4-apache2 4.4.3-2+deb10u3build0.20.04.1
  rt4-clients 4.4.3-2+deb10u3build0.20.04.1
  rt4-db-mysql4.4.3-2+deb10u3build0.20.04.1
  rt4-db-postgresql   4.4.3-2+deb10u3build0.20.04.1
  rt4-db-sqlite   4.4.3-2+deb10u3build0.20.04.1
  rt4-fcgi4.4.3-2+deb10u3build0.20.04.1
  rt4-standalone  4.4.3-2+deb10u3build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  request-tracker44.4.2-2ubuntu0.1~esm1
  rt4-apache2 4.4.2-2ubuntu0.1~esm1
  rt4-clients 4.4.2-2ubuntu0.1~esm1
  rt4-db-mysql4.4.2-2ubuntu0.1~esm1
  rt4-db-postgresql   4.4.2-2ubuntu0.1~esm1
  rt4-db-sqlite   4.4.2-2ubuntu0.1~esm1
  rt4-fcgi4.4.2-2ubuntu0.1~esm1
  rt4-standalone  4.4.2-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6529-1
  CVE-2021-38562, CVE-2022-25802, CVE-2023-41259, CVE-2023-41260

Package Information:
  
https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.10.1
  
https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.23.04.1
  
https://launchpad.net/ubuntu/+source/request-tracker4/4.4.4+dfsg-2ubuntu1.22.04.1

https://launchpad.net/ubuntu/+source/request-tracker4/4.4.3-2+deb10u3build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6492-1] Mosquitto vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6492-1
November 21, 2023

mosquitto vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Mosquitto.

Software Description:
- mosquitto: MQTT version 3.1/3.1.1 compatible message broker

Details:

Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)

Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)

Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly handled certain inputs. If a user or an automated system were
provided with a specially crafted input, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected Ubuntu 20.04
LTS and Ubuntu 22.04 LTS. (CVE-2021-41039)

Zhengjie Du discovered that Mosquitto incorrectly handled certain inputs. If a
user or an automated system were provided with a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-0809)

It was discovered that Mosquitto incorrectly handled certain inputs. If a user
or an automated system were provided with a specially crafted input, a remote
attacker could possibly use this issue to cause a denial of service.
(CVE-2023-3592)

Mischa Bachmann discovered that Mosquitto incorrectly handled certain inputs.
If a user or an automated system were provided with a specially crafted input,
a remote attacker could possibly use this issue to cause a denial of service.
This issue was only fixed in Ubuntu 22.04 LTS and Ubuntu 23.04.
(CVE-2023-28366)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
  mosquitto   2.0.11-1.2ubuntu0.1

Ubuntu 22.04 LTS:
  mosquitto   2.0.11-1ubuntu1.1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):
  mosquitto   1.6.9-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6492-1
  CVE-2021-34431, CVE-2021-34434, CVE-2021-41039, CVE-2023-0809,
  CVE-2023-28366, CVE-2023-3592

Package Information:
  https://launchpad.net/ubuntu/+source/mosquitto/2.0.11-1.2ubuntu0.1
  https://launchpad.net/ubuntu/+source/mosquitto/2.0.11-1ubuntu1.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6491-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6491-1
November 21, 2023

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Axel Chong discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-32212)

Zeyu Zhang discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-32213,
CVE-2022-32214, CVE-2022-32215)

It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-35256)

It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-43548)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libnode-dev 12.22.9~dfsg-1ubuntu3.2
  libnode72   12.22.9~dfsg-1ubuntu3.2
  nodejs  12.22.9~dfsg-1ubuntu3.2
  nodejs-doc  12.22.9~dfsg-1ubuntu3.2

Ubuntu 20.04 LTS:
  libnode-dev 10.19.0~dfsg-3ubuntu1.3
  libnode64   10.19.0~dfsg-3ubuntu1.3
  nodejs  10.19.0~dfsg-3ubuntu1.3
  nodejs-doc  10.19.0~dfsg-3ubuntu1.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  nodejs  8.10.0~dfsg-2ubuntu0.4+esm4
  nodejs-dev  8.10.0~dfsg-2ubuntu0.4+esm4
  nodejs-doc  8.10.0~dfsg-2ubuntu0.4+esm4

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6491-1
  CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215,
  CVE-2022-35256, CVE-2022-43548

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.2
  https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.3



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6472-1] GNU Scientific Library vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6472-1
November 07, 2023

gsl vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

GNU Scientific Library could be made to crash or execute arbitrary code if it
received specially crafted input.

Software Description:
- gsl: A modern numerical library for C and C++ programmers

Details:

It was discovered that GNU Scientific Library incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
  gsl-bin 2.7.1+dfsg-3ubuntu0.23.04.1
  libgsl-dev  2.7.1+dfsg-3ubuntu0.23.04.1
  libgsl272.7.1+dfsg-3ubuntu0.23.04.1
  libgslcblas02.7.1+dfsg-3ubuntu0.23.04.1

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
  gsl-bin 2.7.1+dfsg-3ubuntu0.22.04.1~esm1
  libgsl-dev  2.7.1+dfsg-3ubuntu0.22.04.1~esm1
  libgsl272.7.1+dfsg-3ubuntu0.22.04.1~esm1
  libgslcblas02.7.1+dfsg-3ubuntu0.22.04.1~esm1

Ubuntu 20.04 LTS:
  gsl-bin 2.5+dfsg-6+deb10u1build0.20.04.1
  libgsl-dev  2.5+dfsg-6+deb10u1build0.20.04.1
  libgsl232.5+dfsg-6+deb10u1build0.20.04.1
  libgslcblas02.5+dfsg-6+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  gsl-bin 2.4+dfsg-6ubuntu0.1~esm1
  libgsl-dev  2.4+dfsg-6ubuntu0.1~esm1
  libgsl232.4+dfsg-6ubuntu0.1~esm1
  libgslcblas02.4+dfsg-6ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  gsl-bin 2.1+dfsg-2ubuntu0.1~esm1
  libgsl-dev  2.1+dfsg-2ubuntu0.1~esm1
  libgsl2 2.1+dfsg-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6472-1
  CVE-2020-35357

Package Information:
  https://launchpad.net/ubuntu/+source/gsl/2.7.1+dfsg-3ubuntu0.23.04.1
  https://launchpad.net/ubuntu/+source/gsl/2.5+dfsg-6+deb10u1build0.20.04.1



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6470-1] Axis vulnerability

[Amir Naseredini]

==
Ubuntu Security Notice USN-6470-1
November 02, 2023

axis vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Axis could be made to crash or execute arbitrary code if it received specially
crafted input.

Software Description:
- axis: SOAP implementation in Java

Details:

It was discovered that Axis incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2023-40743)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  libaxis-java1.4-28+deb10u1build0.23.10.1
  libaxis-java-doc1.4-28+deb10u1build0.23.10.1

Ubuntu 23.04:
  libaxis-java1.4-28+deb10u1build0.23.04.1
  libaxis-java-doc1.4-28+deb10u1build0.23.04.1

Ubuntu 22.04 LTS:
  libaxis-java1.4-28+deb10u1build0.22.04.1
  libaxis-java-doc1.4-28+deb10u1build0.22.04.1

Ubuntu 20.04 LTS:
  libaxis-java1.4-28+deb10u1build0.20.04.1
  libaxis-java-doc1.4-28+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  libaxis-java1.4-25ubuntu0.1~esm1
  libaxis-java-doc1.4-25ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  libaxis-java1.4-24ubuntu0.1~esm1
  libaxis-java-doc1.4-24ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6470-1
  CVE-2023-40743

Package Information:
  https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.23.10.1
  https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.23.04.1
  https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.22.04.1
  https://launchpad.net/ubuntu/+source/axis/1.4-28+deb10u1build0.20.04.1



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6457-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6457-1
October 30, 2023

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Tavis Ormandy discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-0778)

Elison Niven discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-1292)

Chancen and Daniel Fiala discovered that Node.js incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-2068)

Alex Chernyakhovsky discovered that Node.js incorrectly handled certain
inputs. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-2097)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libnode-dev 12.22.9~dfsg-1ubuntu3.1
  libnode72   12.22.9~dfsg-1ubuntu3.1
  nodejs  12.22.9~dfsg-1ubuntu3.1
  nodejs-doc  12.22.9~dfsg-1ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6457-1
  CVE-2022-0778, CVE-2022-1292, CVE-2022-2068, CVE-2022-2097

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.1


OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6422-2] Ring vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6422-2
October 24, 2023

ring vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10

Summary:

Several security issues were fixed in Ring.

Software Description:
- ring: Secure and distributed voice, video, and chat platform

Details:

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)


Original advisory details:


 It was discovered that Ring incorrectly handled certain inputs. If a user or
 an automated system were tricked into opening a specially crafted input file,
 a remote attacker could possibly use this issue to execute arbitrary code.
 (CVE-2021-37706)

 It was discovered that Ring incorrectly handled certain inputs. If a user or
 an automated system were tricked into opening a specially crafted input file,
 a remote attacker could possibly use this issue to cause a denial of service.
 This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
 (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
 CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
 CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
 CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,
 CVE-2022-39244)

 It was discovered that Ring incorrectly handled certain inputs. If a user or
 an automated system were tricked into opening a specially crafted input file,
 a remote attacker could possibly use this issue to cause a denial of service.
 This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)

 It was discovered that Ring incorrectly handled certain inputs. If a user or
 an automated system were tricked into opening a specially crafted input file,
 a remote attacker could possibly use this issue to cause a denial of service.
 (CVE-2023-27585)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  jami20230206.0~ds2-1.3ubuntu0.1
  jami-daemon 20230206.0~ds2-1.3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6422-2
  https://ubuntu.com/security/notices/USN-6422-1
  CVE-2021-37706, CVE-2023-27585

Package Information:
  https://launchpad.net/ubuntu/+source/ring/20230206.0~ds2-1.3ubuntu0.1



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6447-1] AOM vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6447-1
October 23, 2023

aom vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in AOM.

Software Description:
- aom: AV1 Video Codec Library

Details:

It was discovered that AOM incorrectly handled certain inputs. If a user or an
automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to cause a denial of service.
(CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36135,
CVE-2021-30473, CVE-2021-30474, CVE-2021-30475)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  aom-tools   1.0.0.errata1-3+deb11u1build0.20.04.1
  libaom-dev  1.0.0.errata1-3+deb11u1build0.20.04.1
  libaom-doc  1.0.0.errata1-3+deb11u1build0.20.04.1
  libaom0 1.0.0.errata1-3+deb11u1build0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6447-1
  CVE-2020-36130, CVE-2020-36131, CVE-2020-36133, CVE-2020-36135,
  CVE-2021-30473, CVE-2021-30474, CVE-2021-30475

Package Information:
  https://launchpad.net/ubuntu/+source/aom/1.0.0.errata1-3+deb11u1build0.20.04.1



OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6422-1] Ring vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6422-1
October 09, 2023

ring vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Ring.

Software Description:
- ring: Secure and distributed voice, video, and chat platform

Details:

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,
CVE-2022-39244)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)

It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
  jami20230206.0~ds1-5ubuntu0.1
  jami-daemon 20230206.0~ds1-5ubuntu0.1

Ubuntu 20.04 LTS:
  jami20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1
  jami-daemon 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1
  ring20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1
  ring-daemon 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  ring20180228.1.503da2b~ds1-1ubuntu0.1~esm1
  ring-daemon 20180228.1.503da2b~ds1-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6422-1
  CVE-2021-37706, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301,
  CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845,
  CVE-2022-21722, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547,
  CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764,
  CVE-2022-24793, CVE-2022-31031, CVE-2022-39244, CVE-2023-27585

Package Information:
  https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1

https://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6418-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6418-1
October 05, 2023

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue was only fixed in Ubuntu 20.04 LTS. (CVE-2021-22883)

Vít Šesták discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-22884)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libnode-dev 10.19.0~dfsg-3ubuntu1.2
  libnode64   10.19.0~dfsg-3ubuntu1.2
  nodejs  10.19.0~dfsg-3ubuntu1.2

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  nodejs  8.10.0~dfsg-2ubuntu0.4+esm3
  nodejs-dev  8.10.0~dfsg-2ubuntu0.4+esm3

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6418-1
  CVE-2021-22883, CVE-2021-22884

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.2



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature

[USN-6380-1] Node.js vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-6380-1
September 19, 2023

nodejs vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Node.js.

Software Description:
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Rogier Schouten discovered that Node.js incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2019-15604)

Ethan Rubinson discovered that Node.js incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-15605)

Alyssa Wilk discovered that Node.js incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-15606)

Tobias Niessen discovered that Node.js incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-8174)

It was discovered that Node.js incorrectly handled certain inputs. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2020-8265, CVE-2020-8287)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  libnode-dev 10.19.0~dfsg-3ubuntu1.1
  libnode64   10.19.0~dfsg-3ubuntu1.1
  nodejs  10.19.0~dfsg-3ubuntu1.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  nodejs  8.10.0~dfsg-2ubuntu0.4+esm2
  nodejs-dev  8.10.0~dfsg-2ubuntu0.4+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  nodejs  4.2.6~dfsg-1ubuntu4.2+esm2
  nodejs-dev  4.2.6~dfsg-1ubuntu4.2+esm2
  nodejs-legacy   4.2.6~dfsg-1ubuntu4.2+esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6380-1
  CVE-2019-15604, CVE-2019-15605, CVE-2019-15606, CVE-2020-8174,
  CVE-2020-8265, CVE-2020-8287

Package Information:
  https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.1



OpenPGP_signature
Description: OpenPGP digital signature

[USN-5904-1] SoX vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-5904-1
March 02, 2023

sox vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in SoX.

Software Description:
- sox: Swiss army knife of sound processing

Details:

Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 
16.04 LTS,

and Ubuntu 18.04 LTS. (CVE-2019-13590)

Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2021-23159, CVE-2021-23172, CVE-2021-23210,
CVE-2021-33844, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650, and
CVE-2022-31651)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
  libsox3                         14.4.2+git20190427-3ubuntu0.1
  sox                             14.4.2+git20190427-3ubuntu0.1

Ubuntu 22.04 LTS:
  libsox3                        
 14.4.2+git20190427-2+deb11u1build0.22.04.1
  sox                            
 14.4.2+git20190427-2+deb11u1build0.22.04.1


Ubuntu 20.04 LTS:
  libsox3                        
 14.4.2+git20190427-2+deb11u1build0.20.04.1
  sox                            
 14.4.2+git20190427-2+deb11u1build0.20.04.1


Ubuntu 18.04 LTS:
  libsox3                         14.4.2-3ubuntu0.18.04.2
  sox                             14.4.2-3ubuntu0.18.04.2

Ubuntu 16.04 ESM:
  libsox2                         14.4.1-5+deb8u4ubuntu0.1+esm1
  sox                             14.4.1-5+deb8u4ubuntu0.1+esm1

Ubuntu 14.04 ESM:
  libsox2                         14.4.1-3ubuntu1.1+esm2
  sox                             14.4.1-3ubuntu1.1+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5904-1 


  CVE-2019-13590, CVE-2021-23159, CVE-2021-23172, CVE-2021-23210,
  CVE-2021-33844, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650,
  CVE-2022-31651

Package Information:
https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-3ubuntu0.1 

https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-2+deb11u1build0.22.04.1 

https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-2+deb11u1build0.20.04.1 

https://launchpad.net/ubuntu/+source/sox/14.4.2-3ubuntu0.18.04.2 







OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[USN-5882-1] DCMTK vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-5882-1
February 22, 2023

dcmtk vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in DCMTK.

Software Description:
- dcmtk: OFFIS DICOM toolkit command line utilities

Details:

Gjoko Krstic discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS. 
(CVE-2015-8979)


Omar Ganiev discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-1010228)

Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If a
user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2021-41687,
CVE-2021-41688, CVE-2021-41689, and CVE-2021-41690)

Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
certain inputs. If a user or an automated system were tricked into opening
a certain specially crafted input file, a remote attacker could possibly use
this issue to execute arbitrary code. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-2119 and CVE-2022-2120)

Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-2121)

It was discovered that DCMTK incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.
(CVE-2022-43272)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
  dcmtk                           3.6.7-6ubuntu0.1
  libdcmtk17                      3.6.7-6ubuntu0.1

Ubuntu 22.04 LTS:
  dcmtk                           3.6.6-5ubuntu0.1~esm1
  libdcmtk16                      3.6.6-5ubuntu0.1~esm1

Ubuntu 20.04 LTS:
  dcmtk                           3.6.4-2.1ubuntu0.1~esm1
  libdcmtk14                      3.6.4-2.1ubuntu0.1~esm1

Ubuntu 18.04 LTS:
  dcmtk                           3.6.2-3ubuntu0.1~esm1
  libdcmtk12                      3.6.2-3ubuntu0.1~esm1

Ubuntu 16.04 ESM:
  dcmtk                           3.6.1~20150924-5ubuntu0.1~esm1
  libdcmtk5                       3.6.1~20150924-5ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5882-1 


  CVE-2015-8979, CVE-2019-1010228, CVE-2021-41687, CVE-2021-41688,
  CVE-2021-41689, CVE-2021-41690, CVE-2022-2119, CVE-2022-2120,
  CVE-2022-2121, CVE-2022-43272

Package Information:
https://launchpad.net/ubuntu/+source/dcmtk/3.6.7-6ubuntu0.1 

https://launchpad.net/ubuntu/+source/dcmtk/3.6.6-5ubuntu0.1~esm1 

https://launchpad.net/ubuntu/+source/dcmtk/3.6.4-2.1ubuntu0.1~esm1 

https://launchpad.net/ubuntu/+source/dcmtk/3.6.2-3ubuntu0.1~esm1 







OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[USN-5840-1] Long Range ZIP vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-5840-1
February 02, 2023

lrzip vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Long Range ZIP.

Software Description:
- lrzip: compression program with a very high compression ratio

Details:

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-25467)

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2021-27345, CVE-2021-27347)

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 16.04 ESM,
Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2022-26291)

It was discovered that Long Range ZIP incorrectly handled memory allocation,
which could lead to a heap memory corruption. An attacker could possibly use
this issue to cause denial of service. This issue affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 22.10. (CVE-2022-28044)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
  lrzip   0.651-2ubuntu0.22.10.1

Ubuntu 22.04 LTS:
  lrzip   0.651-2ubuntu0.22.04.1

Ubuntu 20.04 LTS:
  lrzip 0.631+git180528-1+deb10u1build0.20.04.1

Ubuntu 18.04 LTS:
  lrzip   0.631-1+deb9u3build0.18.04.1

Ubuntu 16.04 ESM:
  lrzip   0.621-1ubuntu0.1~esm2

Ubuntu 14.04 ESM:
  lrzip   0.616-1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-5840-1
  CVE-2018-5786, CVE-2020-25467, CVE-2021-27345, CVE-2021-27347,
  CVE-2022-26291, CVE-2022-28044

Package Information:
https://launchpad.net/ubuntu/+source/lrzip/0.651-2ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/lrzip/0.651-2ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/lrzip/0.631+git180528-1+deb10u1build0.20.04.1
https://launchpad.net/ubuntu/+source/lrzip/0.631-1+deb9u3build0.18.04.1



OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[USN-5826-1] Privoxy vulnerabilities

[Amir Naseredini]

==
Ubuntu Security Notice USN-5826-1
January 25, 2023

privoxy vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Privoxy.

Software Description:
- privoxy: Privacy enhancing HTTP Proxy

Details:

Joshua Rogers discovered that Privoxy incorrectly handled memory 
allocation. An
attacker could possibly use this issue to cause a denial of service. 
(CVE-2021-44540)


Artem Ivanov discovered that Privoxy incorrectly handled input 
validations. An
attacker could possibly use this issue to perform cross-site scripting 
(XSS) attacks.

(CVE-2021-44543)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  privoxy                         3.0.28-2ubuntu0.2

Ubuntu 18.04 LTS:
  privoxy                         3.0.26-5ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5826-1
  CVE-2021-44540, CVE-2021-44543


OpenPGP_0x56383E35D153B8B2.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature