[USN-6305-3] PHP regression
== Ubuntu Security Notice USN-6305-3 July 03, 2024 php7.0 and php7.2 regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: USN-6305-2 caused a regression in parsing XML. Software Description: - php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Details: USN-6305-2 fixed a vulnerability in PHP. The update caused a regression in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. This update fix it. Original advisory details: It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. (CVE-2023-3823) It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code. (CVE-2023-3824) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS php7.2 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro php7.2-xmlrpc 7.2.24-0ubuntu0.18.04.17+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS php7.0 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro php7.0-xmlrpc 7.0.33-0ubuntu0.16.04.16+esm10 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6305-3 https://ubuntu.com/security/notices/USN-6305-1 https://launchpad.net/bugs/2071768 signature.asc Description: PGP signature
[USN-6859-1] OpenSSH vulnerability
== Ubuntu Security Notice USN-6859-1 July 01, 2024 openssh vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: OpenSSH could be made to bypass authentication and remotely access systems without proper credentials. Software Description: - openssh: secure shell (SSH) for secure access to remote machines Details: It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS openssh-client 1:9.6p1-3ubuntu13.3 openssh-server 1:9.6p1-3ubuntu13.3 Ubuntu 23.10 openssh-client 1:9.3p1-1ubuntu3.6 openssh-server 1:9.3p1-1ubuntu3.6 Ubuntu 22.04 LTS openssh-client 1:8.9p1-3ubuntu0.10 openssh-server 1:8.9p1-3ubuntu0.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6859-1 CVE-2024-6387 Package Information: https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.3 https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.6 https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10 signature.asc Description: PGP signature
[USN-6852-2] Wget vulnerability
== Ubuntu Security Notice USN-6852-2 June 27, 2024 wget vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Wget could be made to connect to a different host than expected. Software Description: - wget: retrieves files from the web Details: USN-6852-1 fixed a vulnerability in Wget. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that Wget incorrectly handled semicolons in the userinfo subcomponent of a URI. A remote attacker could possibly trick a user into connecting to a different host than expected. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS wget1.19.4-1ubuntu2.2+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS wget1.17.1-1ubuntu1.5+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6852-2 https://ubuntu.com/security/notices/USN-6852-1 CVE-2024-38428 signature.asc Description: PGP signature
[USN-6851-1] Netplan vulnerabilities
== Ubuntu Security Notice USN-6851-1 June 26, 2024 netplan.io vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Netplan could reveal secrets or execute commands with specially crafted configuration file. Software Description: - netplan.io: Declarative network configuration for various backends Details: Andreas Hasenack discovered that netplan incorrectly handled the permissions for netdev files containing wireguard configuration. An attacker could use this to obtain wireguard secret keys. It was discovered that netplan configuration could be manipulated into injecting arbitrary commands while setting up network interfaces. An attacker could use this to execute arbitrary commands or escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libnetplan1 1.0-2ubuntu1.1 netplan-generator 1.0-2ubuntu1.1 netplan.io 1.0-2ubuntu1.1 Ubuntu 23.10 libnetplan0 0.107-5ubuntu0.3 netplan-generator 0.107-5ubuntu0.3 netplan.io 0.107-5ubuntu0.3 Ubuntu 22.04 LTS libnetplan0 0.106.1-7ubuntu0.22.04.3 netplan.io 0.106.1-7ubuntu0.22.04.3 Ubuntu 20.04 LTS libnetplan0 0.104-0ubuntu2~20.04.5 netplan.io 0.104-0ubuntu2~20.04.5 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6851-1 CVE-2022-4968, https://launchpad.net/bugs/1987842, https://launchpad.net/bugs/2065738, https://launchpad.net/bugs/2066258 Package Information: https://launchpad.net/ubuntu/+source/netplan.io/1.0-2ubuntu1.1 https://launchpad.net/ubuntu/+source/netplan.io/0.107-5ubuntu0.3 https://launchpad.net/ubuntu/+source/netplan.io/0.106.1-7ubuntu0.22.04.3 https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2~20.04.5 signature.asc Description: PGP signature
[USN-6746-2] Google Guest Agent and Google OS Config Agent vulnerability
== Ubuntu Security Notice USN-6746-2 June 25, 2024 google-guest-agent, google-osconfig-agent vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Google Guest Agent and OS Config Agent could be made to crash if it open a specially crafted JSON. Software Description: - google-guest-agent: Google Compute Engine Guest Agent - google-osconfig-agent: Google OS Config Agent Details: USN-6746-1 fixed vulnerabilities in Google Guest Agent and Google OS Config Agent. This update provides the corresponding update for Ubuntu 24.04 LTS. Original advisory details: It was discovered that Google Guest Agent and Google OS Config Agent incorrectly handled certain JSON files. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS google-guest-agent 20240213.00-0ubuntu3.1 google-osconfig-agent 20240320.00-0ubuntu1~24.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6746-2 https://ubuntu.com/security/notices/USN-6746-1 CVE-2024-24786 Package Information: https://launchpad.net/ubuntu/+source/google-guest-agent/20240213.00-0ubuntu3.1 https://launchpad.net/ubuntu/+source/google-osconfig-agent/20240320.00-0ubuntu1~24.04.1 signature.asc Description: PGP signature
[USN-6844-1] CUPS vulnerability
== Ubuntu Security Notice USN-6844-1 June 24, 2024 cups vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: CUPS could be made to arbitrary chmod paths with specially crafted configuration file. Software Description: - cups: Common UNIX Printing System(tm) Details: Rory McNamara discovered that when starting the cupsd server with a Listen configuration item, the cupsd process fails to validate if bind call passed. An attacker could possibly trick cupsd to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS cups2.4.7-1.2ubuntu7.1 Ubuntu 23.10 cups2.4.6-0ubuntu3.1 Ubuntu 22.04 LTS cups2.4.1op1-1ubuntu4.9 Ubuntu 20.04 LTS cups2.3.1-9ubuntu1.7 Ubuntu 18.04 LTS cups2.2.7-1ubuntu2.10+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS cups2.1.3-4ubuntu0.11+esm6 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6844-1 CVE-2024-35235 Package Information: https://launchpad.net/ubuntu/+source/cups/2.4.7-1.2ubuntu7.1 https://launchpad.net/ubuntu/+source/cups/2.4.6-0ubuntu3.1 https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.9 https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.7 signature.asc Description: PGP signature
[USN-6841-1] PHP vulnerability
== Ubuntu Security Notice USN-6841-1 June 19, 2024 php7.4, php8.1, php8.2, php8.3 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: PHP could be made to accept invalid URLs. Software Description: - php8.3: server-side, HTML-embedded scripting language (metapackage) - php8.2: server-side, HTML-embedded scripting language (metapackage) - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter Details: It was discovered that PHP could early return in the filter_var function resulting in invalid user information being treated as valid user information. An attacker could possibly use this issue to expose raw user input information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libapache2-mod-php8.3 8.3.6-0ubuntu0.24.04.1 php8.3 8.3.6-0ubuntu0.24.04.1 php8.3-cgi 8.3.6-0ubuntu0.24.04.1 php8.3-cli 8.3.6-0ubuntu0.24.04.1 php8.3-fpm 8.3.6-0ubuntu0.24.04.1 Ubuntu 23.10 libapache2-mod-php8.2 8.2.10-2ubuntu2.2 php8.2 8.2.10-2ubuntu2.2 php8.2-cgi 8.2.10-2ubuntu2.2 php8.2-cli 8.2.10-2ubuntu2.2 php8.2-fpm 8.2.10-2ubuntu2.2 Ubuntu 22.04 LTS libapache2-mod-php8.1 8.1.2-1ubuntu2.18 php8.1 8.1.2-1ubuntu2.18 php8.1-cgi 8.1.2-1ubuntu2.18 php8.1-cli 8.1.2-1ubuntu2.18 php8.1-fpm 8.1.2-1ubuntu2.18 Ubuntu 20.04 LTS libapache2-mod-php7.4 7.4.3-4ubuntu2.23 php7.4 7.4.3-4ubuntu2.23 php7.4-cgi 7.4.3-4ubuntu2.23 php7.4-cli 7.4.3-4ubuntu2.23 php7.4-fpm 7.4.3-4ubuntu2.23 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6841-1 CVE-2024-5458 Package Information: https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/php8.2/8.2.10-2ubuntu2.2 https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.18 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.23 signature.asc Description: PGP signature
[USN-6793-2] Git vulnerability
== Ubuntu Security Notice USN-6793-2 June 18, 2024 git vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Git could be made to run programs as your login if it clones a crafted repository. Software Description: - git: fast, scalable, distributed revision control system Details: USN-6793-1 fixed vulnerabilities in Git. The CVE-2024-32002 was pending further investigation. This update fixes the problem. Original advisory details: It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-32002) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS git 1:2.25.1-1ubuntu3.13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6793-2 https://ubuntu.com/security/notices/USN-6793-1 CVE-2024-32002 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.13 signature.asc Description: PGP signature
[USN-6715-2] unixODBC vulnerability
== Ubuntu Security Notice USN-6715-2 June 05, 2024 unixodbc vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: unixODBC could be made to crash or execute arbitrary code. Software Description: - unixodbc: Basic ODBC tools Details: USN-6715-1 fixed a vulnerability in unixODBC. This update provides the corresponding fix for Ubuntu 24.04 LTS. Original advisory details: It was discovered that unixODBC incorrectly handled certain bytes. An attacker could use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libodbc22.3.12-1ubuntu0.24.04.1 unixodbc2.3.12-1ubuntu0.24.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6715-2 https://ubuntu.com/security/notices/USN-6715-1 CVE-2024-1013 Package Information: https://launchpad.net/ubuntu/+source/unixodbc/2.3.12-1ubuntu0.24.04.1 signature.asc Description: PGP signature
[USN-6805-1] libarchive vulnerability
== Ubuntu Security Notice USN-6805-1 June 04, 2024 libarchive vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: libarchive could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - libarchive: Library to read/write archive files Details: It was discovered that libarchive incorrectly handled certain RAR archive files. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libarchive13t64 3.7.2-2ubuntu0.1 Ubuntu 23.10 libarchive133.6.2-1ubuntu1.1 Ubuntu 22.04 LTS libarchive133.6.0-1ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6805-1 CVE-2024-26256 Package Information: https://launchpad.net/ubuntu/+source/libarchive/3.7.2-2ubuntu0.1 https://launchpad.net/ubuntu/+source/libarchive/3.6.2-1ubuntu1.1 https://launchpad.net/ubuntu/+source/libarchive/3.6.0-1ubuntu1.1 signature.asc Description: PGP signature
[USN-6798-1] GStreamer Base Plugins vulnerability
== Ubuntu Security Notice USN-6798-1 May 29, 2024 gst-plugins-base1.0 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: GStreamer Base Plugins could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - gst-plugins-base1.0: GStreamer plugins Details: It was discovered that GStreamer Base Plugins incorrectly handled certain EXIF metadata. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS gstreamer1.0-plugins-base 1.24.2-1ubuntu0.1 Ubuntu 23.10 gstreamer1.0-plugins-base 1.22.6-1ubuntu0.1 Ubuntu 22.04 LTS gstreamer1.0-plugins-base 1.20.1-1ubuntu0.2 Ubuntu 20.04 LTS gstreamer1.0-plugins-base 1.16.3-0ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6798-1 CVE-2024-4453 Package Information: https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.24.2-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.22.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.20.1-1ubuntu0.2 https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.16.3-0ubuntu1.3 signature.asc Description: PGP signature
[USN-6793-1] Git vulnerabilities
== Ubuntu Security Notice USN-6793-1 May 28, 2024 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: It was discovered that Git incorrectly handled certain submodules. An attacker could possibly use this issue to execute arbitrary code. This issue was fixed in Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-32002) It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-32004) It was discovered that Git incorrectly handled local clones with hardlinked files/directories. An attacker could possibly use this issue to place a specialized repository on their target's local system. (CVE-2024-32020) It was discovered that Git incorrectly handled certain symlinks. An attacker could possibly use this issue to impact availability and integrity creating hardlinked arbitrary files into users repository's objects/directory. (CVE-2024-32021) It was discovered that Git incorrectly handled certain cloned repositories. An attacker could possibly use this issue to execute arbitrary code. (CVE-2024-32465) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS git 1:2.43.0-1ubuntu7.1 Ubuntu 23.10 git 1:2.40.1-1ubuntu1.1 Ubuntu 22.04 LTS git 1:2.34.1-1ubuntu1.11 Ubuntu 20.04 LTS git 1:2.25.1-1ubuntu3.12 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6793-1 CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2024-32021, CVE-2024-32465 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.43.0-1ubuntu7.1 https://launchpad.net/ubuntu/+source/git/1:2.40.1-1ubuntu1.1 https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.11 https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.12 signature.asc Description: PGP signature
[USN-6771-1] SQL parse vulnerability
== Ubuntu Security Notice USN-6771-1 May 13, 2024 sqlparse vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: SQL parse could be made to denial of service if it received a specially crafted input. Software Description: - sqlparse: documentation for non-validating SQL parser in Python Details: It was discovered that SQL parse incorrectly handled certain nested lists. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS python3-sqlparse0.4.4-1ubuntu0.1 Ubuntu 23.10 python3-sqlparse0.4.2-1ubuntu1.1 Ubuntu 22.04 LTS python3-sqlparse0.4.2-1ubuntu0.22.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6771-1 CVE-2024-4340 Package Information: https://launchpad.net/ubuntu/+source/sqlparse/0.4.4-1ubuntu0.1 https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu1.1 https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.2 signature.asc Description: PGP signature
[USN-6757-2] PHP vulnerabilities
== Ubuntu Security Notice USN-6757-2 May 02, 2024 php7.4, php8.1, php8.2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php8.2: server-side, HTML-embedded scripting language (metapackage) - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter Details: USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem. Original advisory details: It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-4900) It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to cookie by pass. (CVE-2024-2756) It was discovered that PHP incorrectly handled some passwords. An attacker could possibly use this issue to cause an account takeover attack. (CVE-2024-3096) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 libapache2-mod-php8.2 8.2.10-2ubuntu2.1 php8.2 8.2.10-2ubuntu2.1 php8.2-cgi 8.2.10-2ubuntu2.1 php8.2-cli 8.2.10-2ubuntu2.1 php8.2-fpm 8.2.10-2ubuntu2.1 php8.2-xml 8.2.10-2ubuntu2.1 Ubuntu 22.04 LTS libapache2-mod-php8.1 8.1.2-1ubuntu2.17 php8.1 8.1.2-1ubuntu2.17 php8.1-cgi 8.1.2-1ubuntu2.17 php8.1-cli 8.1.2-1ubuntu2.17 php8.1-fpm 8.1.2-1ubuntu2.17 php8.1-xml 8.1.2-1ubuntu2.17 Ubuntu 20.04 LTS libapache2-mod-php7.4 7.4.3-4ubuntu2.22 php7.4 7.4.3-4ubuntu2.22 php7.4-cgi 7.4.3-4ubuntu2.22 php7.4-cli 7.4.3-4ubuntu2.22 php7.4-fpm 7.4.3-4ubuntu2.22 php7.4-xml 7.4.3-4ubuntu2.22 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6757-2 https://ubuntu.com/security/notices/USN-6757-1 CVE-2022-4900, CVE-2024-2756, CVE-2024-3096 Package Information: https://launchpad.net/ubuntu/+source/php8.2/8.2.10-2ubuntu2.1 https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.17 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.22 signature.asc Description: PGP signature
[USN-6762-1] GNU C Library vulnerabilities
== Ubuntu Security Notice USN-6762-1 May 02, 2024 eglibc, glibc vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in GNU C Library. Software Description: - glibc: GNU C Library - eglibc: GNU C Library Details: It was discovered that GNU C Library incorrectly handled netgroup requests. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9984) It was discovered that GNU C Library might allow context-dependent attackers to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-20109) It was discovered that GNU C Library when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. This issue only affected Ubuntu 14.04 LTS. (CVE-2018-11236) It was discovered that the GNU C library getcwd function incorrectly handled buffers. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-3999) Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-2961) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS libc6 2.27-3ubuntu1.6+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS libc6 2.23-0ubuntu11.3+esm6 Available with Ubuntu Pro Ubuntu 14.04 LTS libc6 2.19-0ubuntu6.15+esm3 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6762-1 CVE-2014-9984, CVE-2015-20109, CVE-2018-11236, CVE-2021-3999, CVE-2024-2961, https://launchpad.net/bugs/2063328 signature.asc Description: PGP signature
[USN-6757-1] PHP vulnerabilities
== Ubuntu Security Notice USN-6757-1 April 29, 2024 php7.0, php7.2, php7.4, php8.1 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter - php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Details: It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-4900) It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to cookie by pass. (CVE-2024-2756) It was discovered that PHP incorrectly handled some passwords. An attacker could possibly use this issue to cause an account takeover attack. (CVE-2024-3096) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libapache2-mod-php8.1 8.1.2-1ubuntu2.16 php8.1 8.1.2-1ubuntu2.16 php8.1-cgi 8.1.2-1ubuntu2.16 php8.1-cli 8.1.2-1ubuntu2.16 php8.1-fpm 8.1.2-1ubuntu2.16 php8.1-xml 8.1.2-1ubuntu2.16 Ubuntu 20.04 LTS libapache2-mod-php7.4 7.4.3-4ubuntu2.21 php7.4 7.4.3-4ubuntu2.21 php7.4-cgi 7.4.3-4ubuntu2.21 php7.4-cli 7.4.3-4ubuntu2.21 php7.4-fpm 7.4.3-4ubuntu2.21 php7.4-xml 7.4.3-4ubuntu2.21 Ubuntu 18.04 LTS libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro php7.2 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro php7.0 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm9 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6757-1 CVE-2022-4900, CVE-2024-2756, CVE-2024-3096 Package Information: https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.16 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.21 signature.asc Description: PGP signature
[USN-6746-1] Google Guest Agent and Google OS Config Agent vulnerability
== Ubuntu Security Notice USN-6746-1 April 23, 2024 google-guest-agent, google-osconfig-agent vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS Summary: Google Guest Agent and OS Config Agent could be made to crash if it open a specially crafted JSON. Software Description: - google-guest-agent: Google Compute Engine Guest Agent - google-osconfig-agent: Google OS Config Agent Details: It was discovered that Google Guest Agent and Google OS Config Agent incorrectly handled certain JSON files. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: google-guest-agent 20231004.02-0ubuntu1~23.10.3 google-osconfig-agent 20230504.00-0ubuntu2.2 Ubuntu 22.04 LTS: google-guest-agent 20231004.02-0ubuntu1~22.04.4 google-osconfig-agent 20230504.00-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6746-1 CVE-2024-24786 Package Information: https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~23.10.3 https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu2.2 https://launchpad.net/ubuntu/+source/google-guest-agent/20231004.02-0ubuntu1~22.04.4 https://launchpad.net/ubuntu/+source/google-osconfig-agent/20230504.00-0ubuntu1~22.04.1 signature.asc Description: PGP signature
[USN-6729-2] Apache HTTP Server vulnerabilities
== Ubuntu Security Notice USN-6729-2 April 17, 2024 apache2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Apache HTTP Server. Software Description: - apache2: Apache HTTP server Details: USN-6729-1 fixed several vulnerabilities in Apache. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Orange Tsai discovered that the Apache HTTP Server incorrectly handled validating certain input. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. (CVE-2023-38709) Keran Mu and Jianjun Chen discovered that the Apache HTTP Server incorrectly handled validating certain input. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. (CVE-2024-24795) Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module incorrectly handled endless continuation frames. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. This issue was addressed only in Ubuntu 18.04 LTS. (CVE-2024-27316) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): apache2 2.4.29-1ubuntu4.27+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): apache2 2.4.18-2ubuntu3.17+esm12 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6729-2 https://ubuntu.com/security/notices/USN-6729-1 CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 signature.asc Description: PGP signature
[USN-6721-2] X.Org X Server regression
== Ubuntu Security Notice USN-6721-2 April 09, 2024 xorg-server, xwayland regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: A regression was fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Details: USN-6721-1 fixed vulnerabilities in X.Org X Server. That fix was incomplete resulting in a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that X.Org X Server incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082) It was discovered that X.Org X Server incorrectly handled certain glyphs. An attacker could possibly use this issue to cause a crash or expose sensitive information. (CVE-2024-31083) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: xserver-xorg-core 2:21.1.7-3ubuntu2.9 xwayland2:23.2.0-1ubuntu0.6 Ubuntu 22.04 LTS: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.10 xwayland2:22.1.1-1ubuntu0.13 Ubuntu 20.04 LTS: xserver-xorg-core 2:1.20.13-1ubuntu1~20.04.17 xwayland2:1.20.13-1ubuntu1~20.04.17 Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm8 xwayland2:1.19.6-1ubuntu4.15+esm8 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm13 xwayland2:1.18.4-0ubuntu0.12+esm13 Ubuntu 14.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.15.1-0ubuntu2.11+esm12 After a standard system update you need to restart -APP- to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6721-2 https://ubuntu.com/security/notices/USN-6721-1 https://launchpad.net/bugs/2060354 Package Information: https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-3ubuntu2.9 https://launchpad.net/ubuntu/+source/xwayland/2:23.2.0-1ubuntu0.6 https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.10 https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.13 https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.17 signature.asc Description: PGP signature
[USN-6721-1] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-6721-1 April 04, 2024 xorg-server, xwayland vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in X.Org X Server, xwayland. Software Description: - xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Details: It was discovered that X.Org X Server incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082) It was discovered that X.Org X Server incorrectly handled certain glyphs. An attacker could possibly use this issue to cause a crash or expose sensitive information. (CVE-2024-31083) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: xserver-xorg-core 2:21.1.7-3ubuntu2.8 xwayland2:23.2.0-1ubuntu0.5 Ubuntu 22.04 LTS: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.9 xwayland2:22.1.1-1ubuntu0.12 Ubuntu 20.04 LTS: xserver-xorg-core 2:1.20.13-1ubuntu1~20.04.16 xwayland2:1.20.13-1ubuntu1~20.04.16 Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm7 xwayland2:1.19.6-1ubuntu4.15+esm7 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm12 xwayland2:1.18.4-0ubuntu0.12+esm12 Ubuntu 14.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.15.1-0ubuntu2.11+esm11 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6721-1 CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083 Package Information: https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-3ubuntu2.8 https://launchpad.net/ubuntu/+source/xwayland/2:23.2.0-1ubuntu0.5 https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.9 https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.12 https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.16 signature.asc Description: PGP signature
[USN-6715-1] unixODBC vulnerability
== Ubuntu Security Notice USN-6715-1 March 27, 2024 unixodbc vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: unixODBC could be made to crash or execute arbitrary code. Software Description: - unixodbc: Basic ODBC tools Details: It was discovered that unixODBC incorrectly handled certain bytes. An attacker could use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libodbc22.3.12-1ubuntu0.23.10.1 unixodbc2.3.12-1ubuntu0.23.10.1 Ubuntu 22.04 LTS: libodbc12.3.9-5ubuntu0.1 libodbc22.3.9-5ubuntu0.1 unixodbc2.3.9-5ubuntu0.1 Ubuntu 20.04 LTS: libodbc12.3.6-0.1ubuntu0.1 unixodbc2.3.6-0.1ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libodbc12.3.4-1.1ubuntu3+esm1 unixodbc2.3.4-1.1ubuntu3+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libodbc12.3.1-4.1ubuntu0.1~esm2 unixodbc2.3.1-4.1ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6715-1 CVE-2024-1013 Package Information: https://launchpad.net/ubuntu/+source/unixodbc/2.3.12-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/unixodbc/2.3.9-5ubuntu0.1 https://launchpad.net/ubuntu/+source/unixodbc/2.3.6-0.1ubuntu0.1 signature.asc Description: PGP signature
[USN-6718-2] curl vulnerability
== Ubuntu Security Notice USN-6718-2 March 27, 2024 curl vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: curl could be made to denial of service. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: USN-6718-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service. (CVE-2024-2398) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): curl7.58.0-2ubuntu3.24+esm4 libcurl3-gnutls 7.58.0-2ubuntu3.24+esm4 libcurl3-nss7.58.0-2ubuntu3.24+esm4 libcurl47.58.0-2ubuntu3.24+esm4 Ubuntu 16.04 LTS (Available with Ubuntu Pro): curl7.47.0-1ubuntu2.19+esm12 libcurl37.47.0-1ubuntu2.19+esm12 libcurl3-gnutls 7.47.0-1ubuntu2.19+esm12 libcurl3-nss7.47.0-1ubuntu2.19+esm12 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6718-2 https://ubuntu.com/security/notices/USN-6718-1 CVE-2024-2398 signature.asc Description: PGP signature
[USN-6714-1] Debian Goodies vulnerability
== Ubuntu Security Notice USN-6714-1 March 25, 2024 debian-goodies vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: debmany in Debian Goodies could be made to execute arbitrary shell commands if it received a specially crafted deb file. Software Description: - debian-goodies: Small toolbox-style utilities for Debian systems Details: It was discovered that debmany in Debian Goodies incorrectly handled certain deb files. An attacker could possibly use this issue to execute arbitrary shell commands. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: debian-goodies 0.88.1ubuntu1.2 Ubuntu 22.04 LTS: debian-goodies 0.87ubuntu1.1 Ubuntu 20.04 LTS: debian-goodies 0.84ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6714-1 CVE-2023-27635 Package Information: https://launchpad.net/ubuntu/+source/debian-goodies/0.88.1ubuntu1.2 https://launchpad.net/ubuntu/+source/debian-goodies/0.87ubuntu1.1 https://launchpad.net/ubuntu/+source/debian-goodies/0.84ubuntu0.1 signature.asc Description: PGP signature
[USN-6711-1] CRM shell vulnerability
== Ubuntu Security Notice USN-6711-1 March 25, 2024 crmsh vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: CRM shell could be made to execute arbitrary code if it received a specially crafted input. Software Description: - crmsh: CRM shell for the pacemaker cluster manager Details: Vincent Berg discovered that CRM shell incorrectly handled certain commands. An local attacker could possibly use this issue to execute arbitrary code via shell code injection to the crm history commandline. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: crmsh 4.2.0-2ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6711-1 CVE-2020-35459 Package Information: https://launchpad.net/ubuntu/+source/crmsh/4.2.0-2ubuntu1.1 signature.asc Description: PGP signature
[USN-6587-5] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-6587-5 March 13, 2024 xorg-server vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server Details: USN-6587-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information. (CVE-2023-6478) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. (CVE-2023-6816) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2024-0229) Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0408) Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0409) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21885) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21886) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.15.1-0ubuntu2.11+esm9 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6587-5 https://ubuntu.com/security/notices/USN-6587-1 CVE-2023-6478, CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-21885, CVE-2024-21886 signature.asc Description: PGP signature
[USN-6689-1] Rack vulnerabilities
== Ubuntu Security Notice USN-6689-1 March 12, 2024 ruby-rack vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: Rack could be made do denial of service if it received a specially crafted header. Software Description: - ruby-rack: modular Ruby webserver interface Details: It was discovered that Rack incorrectly parse some headers. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-27539, CVE-2024-26141, CVE-2024-26146) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: ruby-rack 2.2.4-3ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6689-1 CVE-2023-27539, CVE-2024-26141, CVE-2024-26146 Package Information: https://launchpad.net/ubuntu/+source/ruby-rack/2.2.4-3ubuntu0.1 signature.asc Description: PGP signature
[USN-6674-2] Django vulnerability
== Ubuntu Security Notice USN-6674-2 March 04, 2024 python-django vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Django could be made to consume resources or crash if it received specially crafted network traffic. Software Description: - python-django: High-level Python web development framework Details: USN-6674-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): python-django 1:1.11.11-1ubuntu1.21+esm4 python3-django 1:1.11.11-1ubuntu1.21+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6674-2 https://ubuntu.com/security/notices/USN-6674-1 CVE-2024-27351 signature.asc Description: PGP signature
[USN-6664-1] less vulnerability
== Ubuntu Security Notice USN-6664-1 February 27, 2024 less vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: less could be made to crash or run arbitrary commands if it receive a crafted input. Software Description: - less: pager program similar to more Details: It was discovered that less incorrectly handled certain file names. An attacker could possibly use this issue to cause a crash or execute arbitrary commands. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: less590-2ubuntu0.23.10.1 Ubuntu 22.04 LTS: less590-1ubuntu0.22.04.2 Ubuntu 20.04 LTS: less551-1ubuntu0.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): less487-0.1ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): less481-2.1ubuntu0.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6664-1 CVE-2022-48624 Package Information: https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.2 signature.asc Description: PGP signature
[USN-6305-2] PHP vulnerabilities
== Ubuntu Security Notice USN-6305-2 February 27, 2024 php7.0, php7.2, php7.4 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in PHP. Software Description: - php7.4: HTML-embedded scripting language interpreter - php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Details: USN-6305-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. (CVE-2023-3823) It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code. (CVE-2023-3824) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libapache2-mod-php7.4 7.4.3-4ubuntu2.20 php7.4 7.4.3-4ubuntu2.20 php7.4-cgi 7.4.3-4ubuntu2.20 php7.4-cli 7.4.3-4ubuntu2.20 php7.4-fpm 7.4.3-4ubuntu2.20 php7.4-xml 7.4.3-4ubuntu2.20 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm2 php7.2 7.2.24-0ubuntu0.18.04.17+esm2 php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm2 php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm2 php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm2 php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm8 php7.0 7.0.33-0ubuntu0.16.04.16+esm8 php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm8 php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm8 php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm8 php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm8 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6305-2 https://ubuntu.com/security/notices/USN-6305-1 CVE-2023-3823, CVE-2023-3824 Package Information: https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.20 signature.asc Description: PGP signature
[USN-6623-1] Django vulnerability
== Ubuntu Security Notice USN-6623-1 February 06, 2024 python-django vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Django could be made to denial of service if received a specially crafted input. Software Description: - python-django: High-level Python web development framework Details: It was discovered that Django incorrectly handled certain inputs that uses intcomma template filter. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: python3-django 3:4.2.4-1ubuntu2.1 Ubuntu 22.04 LTS: python3-django 2:3.2.12-2ubuntu1.10 Ubuntu 20.04 LTS: python3-django 2:2.2.12-1ubuntu0.21 Ubuntu 18.04 LTS (Available with Ubuntu Pro): python-django 1:1.11.11-1ubuntu1.21+esm3 python3-django 1:1.11.11-1ubuntu1.21+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6623-1 CVE-2024-24680 Package Information: https://launchpad.net/ubuntu/+source/python-django/3:4.2.4-1ubuntu2.1 https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.10 https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.21 signature.asc Description: PGP signature
[USN-6587-4] X.Org X Server regression
== Ubuntu Security Notice USN-6587-4 February 01, 2024 xorg-server, xwayland regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: A regression was fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server Details: USN-6587-1 fixed vulnerabilities in X.Org X Server. The fix was incomplete resulting in a possible regression. This update fixes the problem. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. (CVE-2023-6816) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2024-0229) Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0408) Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0409) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21885) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21886) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm5 xwayland2:1.19.6-1ubuntu4.15+esm5 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm10 xwayland2:1.18.4-0ubuntu0.12+esm10 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6587-4 https://ubuntu.com/security/notices/USN-6587-1 https://launchpad.net/bugs/2051536 signature.asc Description: PGP signature
[USN-6611-1] Exim vulnerability
== Ubuntu Security Notice USN-6611-1 January 29, 2024 exim4 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Exim could be made to bypass an SPF protection mechanism if it received a specially crafted request. Software Description: - exim4: Exim is a mail transport agent Details: It was discovered that Exim incorrectly handled certain requests. A remote attacker could possibly use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: exim4 4.96-17ubuntu2.2 exim4-base 4.96-17ubuntu2.2 eximon4 4.96-17ubuntu2.2 Ubuntu 22.04 LTS: exim4 4.95-4ubuntu2.5 exim4-base 4.95-4ubuntu2.5 eximon4 4.95-4ubuntu2.5 Ubuntu 20.04 LTS: exim4 4.93-13ubuntu1.10 exim4-base 4.93-13ubuntu1.10 eximon4 4.93-13ubuntu1.10 Ubuntu 18.04 LTS (Available with Ubuntu Pro): exim4 4.90.1-1ubuntu1.10+esm3 exim4-base 4.90.1-1ubuntu1.10+esm3 eximon4 4.90.1-1ubuntu1.10+esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): exim4 4.86.2-2ubuntu2.6+esm6 exim4-base 4.86.2-2ubuntu2.6+esm6 eximon4 4.86.2-2ubuntu2.6+esm6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6611-1 CVE-2023-51766 Package Information: https://launchpad.net/ubuntu/+source/exim4/4.96-17ubuntu2.2 https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.5 https://launchpad.net/ubuntu/+source/exim4/4.93-13ubuntu1.10 signature.asc Description: PGP signature
[USN-6599-1] Jinja2 vulnerabilities
== Ubuntu Security Notice USN-6599-1 January 25, 2024 jinja2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in jinja2. Software Description: - jinja2: documentation for the Jinja2 Python library Details: Yeting Li discovered that Jinja incorrectly handled certain regex. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28493) It was discovered that Jinja incorrectly handled certain HTML passed with xmlatter filter. An attacker could inject arbitrary HTML attributes keys and values potentially leading to XSS. (CVE-2024-22195) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: python3-jinja2 3.1.2-1ubuntu0.23.10.1 Ubuntu 22.04 LTS: python3-jinja2 3.0.3-1ubuntu0.1 Ubuntu 20.04 LTS: python-jinja2 2.10.1-2ubuntu0.2 python3-jinja2 2.10.1-2ubuntu0.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): python-jinja2 2.10-1ubuntu0.18.04.1+esm1 python3-jinja2 2.10-1ubuntu0.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): python-jinja2 2.8-1ubuntu0.1+esm2 python3-jinja2 2.8-1ubuntu0.1+esm2 Ubuntu 14.04 LTS (Available with Ubuntu Pro): python-jinja2 2.7.2-2ubuntu0.1~esm2 python3-jinja2 2.7.2-2ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6599-1 CVE-2020-28493, CVE-2024-22195 Package Information: https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.1 https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.2 signature.asc Description: PGP signature
[USN-6587-2] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-6587-2 January 22, 2024 xorg-server vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server Details: USN-6587-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. (CVE-2023-6816) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2024-0229) Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0408) Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0409) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21885) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21886) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm4 xwayland2:1.19.6-1ubuntu4.15+esm4 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm9 xwayland2:1.18.4-0ubuntu0.12+esm9 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-1 CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409, CVE-2024-21885, CVE-2024-21886 signature.asc Description: PGP signature
[USN-6580-1] w3m vulnerability
== Ubuntu Security Notice USN-6580-1 January 15, 2024 w3m vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: w3m could be made to crash or run programs as your login if it opened a malicious website. Software Description: - w3m: WWW browsable pager with excellent tables/frames support Details: It was discovered that w3m incorrectly handled certain HTML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: w3m 0.5.3+git20230121-2ubuntu0.23.10.1 Ubuntu 23.04: w3m 0.5.3+git20230121-2ubuntu0.23.04.1 Ubuntu 22.04 LTS: w3m 0.5.3+git20210102-6ubuntu0.2 Ubuntu 20.04 LTS: w3m 0.5.3-37ubuntu0.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): w3m 0.5.3-36ubuntu0.1+esm1 Ubuntu 14.04 LTS (Available with Ubuntu Pro): w3m 0.5.3-15ubuntu0.2+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6580-1 CVE-2023-4255 Package Information: https://launchpad.net/ubuntu/+source/w3m/0.5.3+git20230121-2ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/w3m/0.5.3+git20230121-2ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/w3m/0.5.3+git20210102-6ubuntu0.2 https://launchpad.net/ubuntu/+source/w3m/0.5.3-37ubuntu0.2 signature.asc Description: PGP signature
[USN-6560-2] OpenSSH vulnerabilities
== Ubuntu Security Notice USN-6560-2 January 11, 2024 openssh vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in OpenSSH. Software Description: - openssh: secure shell (SSH) for secure access to remote machines Details: USN-6560-1 fixed several vulnerabilities in OpenSSH. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue. (CVE-2023-48795) It was discovered that OpenSSH incorrectly handled user names or host names with shell metacharacters. An attacker could possibly use this issue to perform OS command injection. This only affected Ubuntu 18.04 LTS. (CVE-2023-51385) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): openssh-client 1:7.6p1-4ubuntu0.7+esm3 openssh-server 1:7.6p1-4ubuntu0.7+esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): openssh-client 1:7.2p2-4ubuntu2.10+esm5 openssh-server 1:7.2p2-4ubuntu2.10+esm5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6560-2 https://ubuntu.com/security/notices/USN-6560-1 CVE-2023-48795, CVE-2023-51385 signature.asc Description: PGP signature
[USN-6556-1] Budgie Extras vulnerabilities
== Ubuntu Security Notice USN-6556-1 December 14, 2023 budgie-extras vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in budgie-extras. Software Description: - budgie-extras: Applet to provide an alternative means to launch applications Details: It was discovered that Budgie Extras incorrectly handled certain temporary file paths. An attacker could possibly use this issue to inject false information or deny access to the application. (CVE-2023-49342, CVE-2023-49343, CVE-2023-49347) Matthias Gerstner discovered that Budgie Extras incorrectly handled certain temporary file paths. A local attacker could use this to inject arbitrary PNG data in this path and have it displayed on the victim's desktop or deny access to the application. (CVE-2023-49344) Matthias Gerstner discovered that Budgie Extras incorrectly handled certain temporary file paths. A local attacker could use this to inject false information or deny access to the application. (CVE-2023-49345, CVE-2023-49346) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: budgie-clockworks-applet1.7.0-3.0ubuntu1 budgie-dropby-applet1.7.0-3.0ubuntu1 budgie-previews 1.7.0-3.0ubuntu1 budgie-takeabreak-applet1.7.0-3.0ubuntu1 budgie-weathershow-applet 1.7.0-3.0ubuntu1 Ubuntu 23.04: budgie-clockworks-applet1.6.0-1ubuntu0.1 budgie-dropby-applet1.6.0-1ubuntu0.1 budgie-previews-applet 1.6.0-1ubuntu0.1 budgie-takeabreak-applet1.6.0-1ubuntu0.1 budgie-weathershow-applet 1.6.0-1ubuntu0.1 Ubuntu 22.04 LTS: budgie-clockworks-applet1.4.0-1ubuntu3.1 budgie-dropby-applet1.4.0-1ubuntu3.1 budgie-previews-applet 1.4.0-1ubuntu3.1 budgie-takeabreak-applet1.4.0-1ubuntu3.1 budgie-weathershow-applet 1.4.0-1ubuntu3.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49342, CVE-2023-49343, CVE-2023-49344, CVE-2023-49345, CVE-2023-49346, CVE-2023-49347 Package Information: https://launchpad.net/ubuntu/+source/budgie-extras/1.7.0-3.0ubuntu1 https://launchpad.net/ubuntu/+source/budgie-extras/1.6.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/budgie-extras/1.4.0-1ubuntu3.1 signature.asc Description: PGP signature
[USN-6555-2] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-6555-2 December 13, 2023 xorg-server vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server Details: USN-6555-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB button actions. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges. (CVE-2023-6377) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information. (CVE-2023-6478) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm3 xwayland2:1.19.6-1ubuntu4.15+esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm8 xwayland2:1.18.4-0ubuntu0.12+esm8 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6555-2 https://ubuntu.com/security/notices/USN-6555-1 CVE-2023-6377, CVE-2023-6478 signature.asc Description: PGP signature
[USN-6500-2] Squid vulnerabilities
== Ubuntu Security Notice USN-6500-2 December 11, 2023 squid3 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Squid. Software Description: - squid3: Web proxy cache server Details: USN-6500-1 fixed several vulnerabilities in Squid. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Gopher support has been disabled in this update. (CVE-2023-46728) Joshua Rogers discovered that Squid incorrectly handled HTTP Digest Authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-46847) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): squid 3.5.27-1ubuntu1.14+esm1 squid3 3.5.27-1ubuntu1.14+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): squid 3.5.12-1ubuntu7.16+esm2 squid3 3.5.12-1ubuntu7.16+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6500-2 https://ubuntu.com/security/notices/USN-6500-1 CVE-2023-46728, CVE-2023-46847 signature.asc Description: PGP signature
[USN-6522-2] FreeRDP vulnerabilities
== Ubuntu Security Notice USN-6522-2 December 07, 2023 freerdp2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in FreeRDP. Software Description: - freerdp2: RDP client for Windows Terminal Services Details: USN-6522-1 fixed several vulnerabilities in FreeRDP. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: It was discovered that FreeRDP incorrectly handled drive redirection. If a user were tricked into connection to a malicious server, a remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2022-41877) It was discovered that FreeRDP incorrectly handled certain surface updates. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-39352, CVE-2023-39356) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libfreerdp2-2 2.2.0+dfsg1-0ubuntu0.18.04.4+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6522-2 https://ubuntu.com/security/notices/USN-6522-1 CVE-2022-41877, CVE-2023-39352, CVE-2023-39356 signature.asc Description: PGP signature
[USN-6519-2] EC2 hibagent update
== Ubuntu Security Notice USN-6519-2 November 29, 2023 ec2-hibinit-agent update == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: A security improvement was added to EC2 hibagent. Software Description: - ec2-hibinit-agent: Amazon EC2 hibernation agent Details: USN-6519-1 added IMDSv2 support to EC2 hibagent. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: The EC2 hibagent package has been updated to add IMDSv2 support, as IMDSv1 uses an insecure protocol and is no longer recommended. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS (Available with Ubuntu Pro): ec2-hibinit-agent 1.0.0-0ubuntu4~16.04.4+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6519-2 https://ubuntu.com/security/notices/USN-6519-1 https://launchpad.net/bugs/1941785 signature.asc Description: PGP signature
[USN-6519-1] EC2 hibagent update
== Ubuntu Security Notice USN-6519-1 November 28, 2023 ec2-hibinit-agent update == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: A security improvement was added to EC2 hibagent. Software Description: - ec2-hibinit-agent: Amazon EC2 hibernation agent Details: The EC2 hibagent package has been updated to add IMDSv2 support, as IMDSv1 uses an insecure protocol and is no longer recommended. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): ec2-hibinit-agent 1.0.0-0ubuntu4~18.04.6+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6519-1 https://launchpad.net/bugs/1941785 signature.asc Description: PGP signature
[USN-6402-2] LibTomMath vulnerability
== Ubuntu Security Notice USN-6402-2 November 27, 2023 libtommath vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: LibTomMatch could be made to execute arbitrary code or denial of service if it received a specially crafted input. Software Description: - libtommath: multiple-precision integer library [development files] Details: USN-6402-1 fixed vulnerabilities in LibTomMath. This update provides the corresponding updates for Ubuntu 23.10. Original advisory details: It was discovered that LibTomMath incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code and cause a denial of service (DoS). Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libtommath1 1.2.0-6ubuntu0.23.10.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6402-2 https://ubuntu.com/security/notices/USN-6402-1 CVE-2023-36328 Package Information: https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.23.10.1 signature.asc Description: PGP signature
[USN-6501-1] RabbitMQ vulnerability
== Ubuntu Security Notice USN-6501-1 November 21, 2023 rabbitmq-server vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: RabbitMQ could be made to denial of service if it received a specially crafted HTTP request. Software Description: - rabbitmq-server: AMQP server written in Erlang Details: It was discovered that RabbitMQ incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: rabbitmq-server 3.12.1-1ubuntu0.1 Ubuntu 23.04: rabbitmq-server 3.10.8-1.1ubuntu0.1 Ubuntu 22.04 LTS: rabbitmq-server 3.9.13-1ubuntu0.22.04.2 Ubuntu 20.04 LTS: rabbitmq-server 3.8.2-0ubuntu1.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6501-1 CVE-2023-46118 Package Information: https://launchpad.net/ubuntu/+source/rabbitmq-server/3.12.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/rabbitmq-server/3.10.8-1.1ubuntu0.1 https://launchpad.net/ubuntu/+source/rabbitmq-server/3.9.13-1ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.2-0ubuntu1.5 signature.asc Description: PGP signature
[USN-6493-2] hibagent update
== Ubuntu Security Notice USN-6493-2 November 21, 2023 hibagent update == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: A security improvement was added to hibagent. Software Description: - hibagent: Agent that triggers hibernation on EC2 instances Details: USN-6493-1 fixed a vulnerability in hibagent. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: On Ubuntu 18.04 LTS and Ubuntu 16.04 LTS, the hibagent package has been updated to add IMDSv2 support, as IMDSv1 uses an insecure protocol and is no longer recommended. In addition, on all releases, hibagent has been updated to do nothing if ODH is configured. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): hibagent1.0.1-0ubuntu1.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): hibagent1.0.1-0ubuntu1~16.04.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6493-2 https://ubuntu.com/security/notices/USN-6493-1 https://launchpad.net/bugs/ signature.asc Description: PGP signature
[USN-6486-1] iniParser vulnerability
== Ubuntu Security Notice USN-6486-1 November 20, 2023 iniparser vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: Iniparser could be made to crash if it received a specially crafted file. Software Description: - iniparser: development files for the iniParser INI file reader/writer Details: It was discovered that iniParser incorrectly handled certain files. An attacker could possibly use this issue to cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libiniparser1 4.1-6ubuntu0.23.10.1 Ubuntu 23.04: libiniparser1 4.1-6ubuntu0.23.04.1 Ubuntu 22.04 LTS: libiniparser1 4.1-4ubuntu4.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6486-1 CVE-2023-33461 Package Information: https://launchpad.net/ubuntu/+source/iniparser/4.1-6ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/iniparser/4.1-6ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/iniparser/4.1-4ubuntu4.1 signature.asc Description: PGP signature
[USN-6453-2] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-6453-2 October 31, 2023 xorg-server vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in X.Org X Server, xwayland. Software Description: - xorg-server: X.Org X11 server Details: USN-6453-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled prepending values to certain properties. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges. (CVE-2023-5367) Sri discovered that the X.Org X Server incorrectly handled detroying windows in certain legacy multi-screen setups. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges. (CVE-2023-5380) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm1 xwayland2:1.19.6-1ubuntu4.15+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm6 xwayland2:1.18.4-0ubuntu0.12+esm6 Ubuntu 14.04 LTS (Available with Ubuntu Pro): xserver-xorg-core 2:1.15.1-0ubuntu2.11+esm8 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6453-2 https://ubuntu.com/security/notices/USN-6453-1 CVE-2023-5367, CVE-2023-5380 signature.asc Description: PGP signature
[USN-6288-2] MySQL vulnerability
== Ubuntu Security Notice USN-6288-2 October 24, 2023 mysql-5.7 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.7: MySQL database Details: USN-6288-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.7.43 in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-43.html https://www.oracle.com/security-alerts/cpujul2023.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): mysql-server-5.75.7.43-0ubuntu0.18.04.1+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): mysql-server-5.75.7.43-0ubuntu0.16.04.1+esm1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6288-2 https://ubuntu.com/security/notices/USN-6288-1 CVE-2023-22053 signature.asc Description: PGP signature
[USN-6408-2] libXpm vulnerabilities
== Ubuntu Security Notice USN-6408-2 October 23, 2023 libxpm vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in libXpm. Software Description: - libxpm: X11 pixmap library Details: USN-6408-1 fixed several vulnerabilities in libXpm. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Yair Mizrahi discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to consume memory, leading to a denial of service. (CVE-2023-43786) Yair Mizrahi discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could use this issue to cause libXpm to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2023-43787) Alan Coopersmith discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to cause libXpm to crash, leading to a denial of service. (CVE-2023-43788, CVE-2023-43789) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libxpm4 1:3.5.12-1ubuntu0.18.04.2+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libxpm4 1:3.5.11-1ubuntu0.16.04.1+esm2 Ubuntu 14.04 LTS (Available with Ubuntu Pro): libxpm4 1:3.5.10-1ubuntu0.1+esm2 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6408-2 https://ubuntu.com/security/notices/USN-6408-1 CVE-2023-43786, CVE-2023-43787, CVE-2023-43788, CVE-2023-43789 signature.asc Description: PGP signature
[USN-6403-2] libvpx vulnerabilities
== Ubuntu Security Notice USN-6403-2 October 23, 2023 libvpx vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in libvpx. Software Description: - libvpx: VP8 and VP9 video codec Details: USN-6403-1 fixed several vulnerabilities in libvpx. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: It was discovered that libvpx did not properly handle certain malformed media files. If an application using libvpx opened a specially crafted file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libvpx5 1.7.0-3ubuntu0.18.04.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6403-2 https://ubuntu.com/security/notices/USN-6403-1 CVE-2023-44488, CVE-2023-5217 signature.asc Description: PGP signature
[USN-6394-2] Python vulnerability
== Ubuntu Security Notice USN-6394-2 October 17, 2023 python2.7 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Python could be made to execute arbitrary code if it received a specially crafted script. Software Description: - python2.7: An interactive high-level object-oriented language Details: USN-6394-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): python2.7 2.7.17-1~18.04ubuntu1.13+esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): python2.7 2.7.12-1ubuntu0~16.04.18+esm8 Ubuntu 14.04 LTS (Available with Ubuntu Pro): python2.7 2.7.6-8ubuntu0.6+esm17 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6394-2 https://ubuntu.com/security/notices/USN-6394-1 CVE-2022-48560 signature.asc Description: PGP signature
[USN-6429-2] curl vulnerability
== Ubuntu Security Notice USN-6429-2 October 11, 2023 curl vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in curl. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: USN-6429-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections. (CVE-2023-38546) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): curl7.58.0-2ubuntu3.24+esm2 libcurl3-gnutls 7.58.0-2ubuntu3.24+esm2 libcurl3-nss7.58.0-2ubuntu3.24+esm2 libcurl47.58.0-2ubuntu3.24+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): curl7.47.0-1ubuntu2.19+esm10 libcurl37.47.0-1ubuntu2.19+esm10 libcurl3-gnutls 7.47.0-1ubuntu2.19+esm10 libcurl3-nss7.47.0-1ubuntu2.19+esm10 Ubuntu 14.04 LTS (Available with Ubuntu Pro): curl7.35.0-1ubuntu2.20+esm17 libcurl37.35.0-1ubuntu2.20+esm17 libcurl3-gnutls 7.35.0-1ubuntu2.20+esm17 libcurl3-nss7.35.0-1ubuntu2.20+esm17 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6429-2 https://ubuntu.com/security/notices/USN-6429-1 CVE-2023-38546 signature.asc Description: PGP signature
[USN-6407-2] libx11 vulnerabilities
== Ubuntu Security Notice USN-6407-2 October 10, 2023 libx11 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in libx11. Software Description: - libx11: X11 client-side library Details: USN-6407-1 fixed several vulnerabilities in libx11. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Gregory James Duck discovered that libx11 incorrectly handled certain keyboard symbols. If a user were tricked into connecting to a malicious X server, a remote attacker could use this issue to cause libx11 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-43785) Yair Mizrahi discovered that libx11 incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to consume memory, leading to a denial of service. (CVE-2023-43786) Yair Mizrahi discovered that libx11 incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could use this issue to cause libx11 to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2023-43787) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libx11-62:1.6.4-3ubuntu0.4+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libx11-62:1.6.3-1ubuntu2.2+esm4 Ubuntu 14.04 LTS (Available with Ubuntu Pro): libx11-62:1.6.2-1ubuntu2.1+esm5 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6407-2 https://ubuntu.com/security/notices/USN-6407-1 CVE-2023-43785, CVE-2023-43786, CVE-2023-43787 signature.asc Description: PGP signature
[USN-6423-1] CUE vulnerability
== Ubuntu Security Notice USN-6423-1 October 09, 2023 libcue vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: CUE could be made to execute arbitrary code if it received a specially crafted file. Software Description: - libcue: CUE Sheet Parser Library - development files Details: It was discovered that CUE incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: libcue2 2.2.1-4ubuntu0.1 Ubuntu 22.04 LTS: libcue2 2.2.1-3ubuntu0.1 Ubuntu 20.04 LTS: libcue2 2.2.1-2ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6423-1 CVE-2023-43641 Package Information: https://launchpad.net/ubuntu/+source/libcue/2.2.1-4ubuntu0.1 https://launchpad.net/ubuntu/+source/libcue/2.2.1-3ubuntu0.1 https://launchpad.net/ubuntu/+source/libcue/2.2.1-2ubuntu0.1 signature.asc Description: PGP signature
[USN-6414-2] Django vulnerabilities
== Ubuntu Security Notice USN-6414-2 October 04, 2023 python-django vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Django. Software Description: - python-django: High-level Python web development framework Details: USN-6414-1 and USN-6378-1 fixed CVE-2023-43665 and CVE-2023-41164 in Django, respectively. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: Wenchao Li discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service. It was discovered that Django incorrectly handled certain URIs with a very large number of Unicode characters. A remote attacker could possibly use this issue to cause Django to consume resources or crash, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): python3-django 1:1.11.11-1ubuntu1.21+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6414-2 https://ubuntu.com/security/notices/USN-6414-1 CVE-2023-41164, CVE-2023-43665 signature.asc Description: PGP signature
[USN-6402-1] LibTomMath vulnerability
== Ubuntu Security Notice USN-6402-1 October 02, 2023 libtommath vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: LibTomMatch could be made to execute arbitrary code or denial of service if it received a specially crafted input. Software Description: - libtommath: multiple-precision integer library [development files] Details: It was discovered that LibTomMath incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code and cause a denial of service (DoS). Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: libtommath1 1.2.0-6ubuntu0.23.04.1 Ubuntu 22.04 LTS: libtommath1 1.2.0-6ubuntu0.22.04.1 Ubuntu 20.04 LTS: libtommath1 1.2.0-3ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libtommath1 1.0.1-1ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libtommath0 0.42.0-1.2ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6402-1 CVE-2023-36328 Package Information: https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/libtommath/1.2.0-6ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/libtommath/1.2.0-3ubuntu0.1 signature.asc Description: PGP signature
[USN-6394-1] Python vulnerability
== Ubuntu Security Notice USN-6394-1 September 21, 2023 python3.5 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Python could be made to execute arbitrary code if it received a specially crafted script. Software Description: - python3.5: An interactive high-level object-oriented language Details: It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS (Available with Ubuntu Pro): python3.5 3.5.2-2ubuntu0~16.04.13+esm10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6394-1 CVE-2022-48560 signature.asc Description: PGP signature
[USN-6391-2] CUPS vulnerability
== Ubuntu Security Notice USN-6391-2 September 21, 2023 cups vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: CUPS could be made to crash or run programs if it opened a specially crafted file. Software Description: - cups: Common UNIX Printing System(tm) Details: USN-6391-1 fixed a vulnerability in CUPS. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that CUPS incorrectly parsed certain Postscript objects. If a user or automated system were tricked into printing a specially crafted document, a remote attacker could use this issue to cause CUPS to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): cups2.2.7-1ubuntu2.10+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): cups2.1.3-4ubuntu0.11+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6391-2 https://ubuntu.com/security/notices/USN-6391-1 CVE-2023-4504 signature.asc Description: PGP signature
[USN-6382-1] Memcached vulnerability
== Ubuntu Security Notice USN-6382-1 September 19, 2023 memcached vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Memcached could be made to denial of service. Software Description: - memcached: High-performance in-memory object caching system Details: It was discovered that Memcached incorrectly handled certain multi-packet uploads in UDP. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: memcached 1.5.22-2ubuntu0.3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): memcached 1.5.6-0ubuntu1.2+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): memcached 1.4.25-2ubuntu1.5+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6382-1 CVE-2022-48571 Package Information: https://launchpad.net/ubuntu/+source/memcached/1.5.22-2ubuntu0.3 signature.asc Description: PGP signature
[USN-6164-2] c-ares vulnerabilities
== Ubuntu Security Notice USN-6164-2 September 11, 2023 c-ares vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in c-ares. Software Description: - c-ares: library for asynchronous name resolution Details: USN-6164-1 fixed several vulnerabilities in c-ares. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Hannes Moesl discovered that c-ares incorrectly handled certain ipv6 addresses. An attacker could use this issue to cause c-ares to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-31130) Xiang Li discovered that c-ares incorrectly handled certain UDP packets. A remote attacker could possibly use this issue to cause c-res to crash, resulting in a denial of service. (CVE-2023-32067) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libc-ares2 1.14.0-1ubuntu0.2+esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libc-ares2 1.10.0-3ubuntu0.2+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6164-2 https://ubuntu.com/security/notices/USN-6164-1 CVE-2023-31130, CVE-2023-32067 signature.asc Description: PGP signature
[USN-5767-3] Python vulnerability
== Ubuntu Security Notice USN-5767-3 March 06, 2023 python3.6 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Python. Software Description: - python3.6: An interactive high-level object-oriented language Details: USN-5767-1 fixed vulnerabilities in Python. This update fixes the problem for Ubuntu 18.04 LTS. Original advisory details: Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-37454) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: python3.6 3.6.9-1~18.04ubuntu1.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5767-3 https://ubuntu.com/security/notices/USN-5767-1 CVE-2022-37454, https://launchpad.net/bugs/1995197 Package Information: https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.10 signature.asc Description: PGP signature
[USN-5871-2] Git regression
== Ubuntu Security Notice USN-5871-2 March 02, 2023 git regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: USN-5871-1 caused a regression. Software Description: - git: fast, scalable, distributed revision control system Details: USN-5871-1 fixed vulnerabilities in Git. A backport fixing part of the vulnerability in CVE-2023-22490 was required. This update fix this for Ubuntu 18.04 LTS. Original advisory details: It was discovered that Git incorrectly handled certain repositories. An attacker could use this issue to make Git uses its local clone optimization even when using a non-local transport. (CVE-2023-22490) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.17 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5871-2 https://ubuntu.com/security/notices/USN-5871-1 CVE-2023-22490, https://launchpad.net/bugs/2008277 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.17 signature.asc Description: PGP signature
[USN-5900-1] tar vulnerability
== Ubuntu Security Notice USN-5900-1 February 28, 2023 tar vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: tar could be made to crash or expose sensitive information if it received a specially crafted file. Software Description: - tar: GNU version of the tar archiving utility Details: It was discovered that tar incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: tar 1.34+dfsg-1ubuntu0.1.22.10.1 Ubuntu 22.04 LTS: tar 1.34+dfsg-1ubuntu0.1.22.04.1 Ubuntu 20.04 LTS: tar 1.30+dfsg-7ubuntu0.20.04.3 Ubuntu 18.04 LTS: tar 1.29b-2ubuntu0.4 Ubuntu 16.04 ESM: tar 1.28-2.1ubuntu0.2+esm2 Ubuntu 14.04 ESM: tar 1.27.1-1ubuntu0.1+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5900-1 CVE-2022-48303 Package Information: https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.10.1 https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.04.1 https://launchpad.net/ubuntu/+source/tar/1.30+dfsg-7ubuntu0.20.04.3 https://launchpad.net/ubuntu/+source/tar/1.29b-2ubuntu0.4 signature.asc Description: PGP signature
[USN-5778-2] X.Org X Server vulnerabilities
== Ubuntu Security Notice USN-5778-2 February 16, 2023 xorg-server, xorg-server-hwe-16.04 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in X.Org X Server. Software Description: - xorg-server: X.Org X11 server - xorg-server-hwe-16.04: X.Org X11 server Details: USN-5778-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Jan-Niklas Sohn discovered that X.Org X Server extensions contained multiple security issues. An attacker could possibly use these issues to cause the X Server to crash, execute arbitrary code, or escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm5 xserver-xorg-core-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.6+esm4 xwayland2:1.18.4-0ubuntu0.12+esm5 xwayland-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.6+esm4 Ubuntu 14.04 ESM: xserver-xorg-core 2:1.15.1-0ubuntu2.11+esm7 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5778-2 https://ubuntu.com/security/notices/USN-5778-1 CVE-2022-4283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, CVE-2023-0494 signature.asc Description: PGP signature
[USN-5871-1] Git vulnerabilities
== Ubuntu Security Notice USN-5871-1 February 14, 2023 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: It was discovered that Git incorrectly handled certain repositories. An attacker could use this issue to make Git uses its local clone optimization even when using a non-local transport. (CVE-2023-22490) Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwrite a patch outside the working tree. (CVE-2023-23946) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: git 1:2.37.2-1ubuntu1.4 Ubuntu 22.04 LTS: git 1:2.34.1-1ubuntu1.8 Ubuntu 20.04 LTS: git 1:2.25.1-1ubuntu3.10 Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.16 Ubuntu 16.04 ESM: git 1:2.7.4-0ubuntu1.10+esm5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5871-1 CVE-2023-22490, CVE-2023-23946 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.37.2-1ubuntu1.4 https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.8 https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.10 https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.16 signature.asc Description: PGP signature
[USN-5845-2] OpenSSL vulnerabilities
== Ubuntu Security Notice USN-5845-2 February 07, 2023 openssl vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: USN-5845-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: David Benjamin discovered that OpenSSL incorrectly handled X.400 address processing. A remote attacker could possibly use this issue to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service. (CVE-2023-0286) Octavio Galland and Marcel Böhme discovered that OpenSSL incorrectly handled streaming ASN.1 data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-0215) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libssl1.0.0 1.0.2g-1ubuntu4.20+esm6 Ubuntu 14.04 ESM: libssl1.0.0 1.0.1f-1ubuntu2.27+esm6 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5845-2 https://ubuntu.com/security/notices/USN-5845-1 CVE-2023-0215, CVE-2023-0286 signature.asc Description: PGP signature
[USN-5810-3] Git vulnerabilities
== Ubuntu Security Notice USN-5810-3 February 07, 2023 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: USN-5810-1 fixed several vulnerabilities in Git. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-23521) Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-41903) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: git 1:2.7.4-0ubuntu1.10+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5810-3 https://ubuntu.com/security/notices/USN-5810-1 CVE-2022-23521, CVE-2022-41903 signature.asc Description: PGP signature
[USN-5843-1] tmux vulnerability
== Ubuntu Security Notice USN-5843-1 February 06, 2023 tmux vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: tmux could be made to crash if it received a specially crafted input. Software Description: - tmux: terminal multiplexer Details: It was discovered that tmux incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: tmux3.3a-1ubuntu0.1 Ubuntu 22.04 LTS: tmux3.2a-4ubuntu0.2 Ubuntu 20.04 LTS: tmux3.0a-2ubuntu0.4 Ubuntu 18.04 LTS: tmux2.6-3ubuntu0.3 Ubuntu 16.04 ESM: tmux2.1-3ubuntu0.1~esm1 Ubuntu 14.04 ESM: tmux1.8-5ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5843-1 CVE-2022-47016 Package Information: https://launchpad.net/ubuntu/+source/tmux/3.3a-1ubuntu0.1 https://launchpad.net/ubuntu/+source/tmux/3.2a-4ubuntu0.2 https://launchpad.net/ubuntu/+source/tmux/3.0a-2ubuntu0.4 https://launchpad.net/ubuntu/+source/tmux/2.6-3ubuntu0.3 signature.asc Description: PGP signature
[USN-5839-2] Apache HTTP Server vulnerability
== Ubuntu Security Notice USN-5839-2 February 02, 2023 apache2 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Apache HTTP Server. Software Description: - apache2: Apache HTTP server Details: USN-5839-1 fixed a vulnerability in Apache. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server mod_proxy module incorrectly truncated certain response headers. This may result in later headers not being interpreted by the client. (CVE-2022-37436) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: apache2 2.4.18-2ubuntu3.17+esm9 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5839-2 https://ubuntu.com/security/notices/USN-5839-1 CVE-2022-37436 signature.asc Description: PGP signature
[USN-5837-2] Django vulnerability
== Ubuntu Security Notice USN-5837-2 February 01, 2023 python-django vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Django could be made to consume memory if it received specially crafted network traffic. Software Description: - python-django: High-level Python web development framework Details: USN-5837-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Nick Pope discovered that Django incorrectly handled certain Accept-Language headers. A remote attacker could possibly use this issue to cause Django to consume memory, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: python-django 1.8.7-1ubuntu5.15+esm6 python3-django 1.8.7-1ubuntu5.15+esm6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5837-2 https://ubuntu.com/security/notices/USN-5837-1 CVE-2023-23969 signature.asc Description: PGP signature
[USN-5811-3] Sudo vulnerability
== Ubuntu Security Notice USN-5811-3 January 30, 2023 sudo vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Sudo. Software Description: - sudo: Provide limited super user privileges to specific users Details: USN-5811-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly handled user-specified editors when using the sudoedit command. A local attacker that has permission to use the sudoedit command could possibly use this issue to edit arbitrary files. (CVE-2023-22809) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: sudo1.8.9p5-1ubuntu1.5+esm7 sudo-ldap 1.8.9p5-1ubuntu1.5+esm7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5811-3 https://ubuntu.com/security/notices/USN-5811-1 CVE-2023-22809 signature.asc Description: PGP signature
[USN-5823-2] MySQL vulnerability
== Ubuntu Security Notice USN-5823-2 January 24, 2023 mysql-5.7 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in MySQL. Software Description: - mysql-5.7: MySQL database Details: USN-5823-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to MySQL 5.7.41. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-41.html https://www.oracle.com/security-alerts/cpujan2023.html Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: mysql-server-5.75.7.41-0ubuntu0.16.04.1+esm1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5823-2 https://ubuntu.com/security/notices/USN-5823-1 CVE-2023-21840 signature.asc Description: PGP signature
[USN-5806-2] Ruby vulnerability
== Ubuntu Security Notice USN-5806-2 January 23, 2023 ruby2.5, ruby3.0 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 18.04 LTS Summary: Ruby could allow for internet traffic to be modified if a vulnerable application processed malicious user input. Software Description: - ruby3.0: Interpreter of object-oriented scripting language Ruby - ruby2.5: Object-oriented scripting language Details: USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.10. Original advisory details: Hiroshi Tokumaru discovered that Ruby did not properly handle certain user input for applications which generate HTTP responses using cgi gem. An attacker could possibly use this issue to maliciously modify the response a user would receive from a vulnerable application. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libruby3.0 3.0.4-7ubuntu0.1 ruby3.0 3.0.4-7ubuntu0.1 Ubuntu 22.04 LTS: libruby3.0 3.0.2-7ubuntu2.3 ruby3.0 3.0.2-7ubuntu2.3 Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.13 ruby2.5 2.5.1-1ubuntu1.13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5806-2 https://ubuntu.com/security/notices/USN-5806-1 CVE-2021-33621 Package Information: https://launchpad.net/ubuntu/+source/ruby3.0/3.0.4-7ubuntu0.1 https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.3 https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.13 signature.asc Description: PGP signature
[USN-5818-1] PHP vulnerability
== Ubuntu Security Notice USN-5818-1 January 23, 2023 php7.2, php7.4, php8.1 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: PHP could be made do crash or execute arbitrary code if it received a specially crafted input. Software Description: - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter - php7.2: HTML-embedded scripting language interpreter Details: It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libapache2-mod-php7.4 8.1.7-1ubuntu3.2 libapache2-mod-php8.0 8.1.7-1ubuntu3.2 libapache2-mod-php8.1 8.1.7-1ubuntu3.2 php8.1 8.1.7-1ubuntu3.2 php8.1-cgi 8.1.7-1ubuntu3.2 php8.1-cli 8.1.7-1ubuntu3.2 php8.1-sqlite3 8.1.7-1ubuntu3.2 Ubuntu 22.04 LTS: libapache2-mod-php7.4 8.1.2-1ubuntu2.10 libapache2-mod-php8.0 8.1.2-1ubuntu2.10 libapache2-mod-php8.1 8.1.2-1ubuntu2.10 php8.1 8.1.2-1ubuntu2.10 php8.1-cgi 8.1.2-1ubuntu2.10 php8.1-cli 8.1.2-1ubuntu2.10 php8.1-sqlite3 8.1.2-1ubuntu2.10 Ubuntu 20.04 LTS: libapache2-mod-php7.4 7.4.3-4ubuntu2.17 php7.4 7.4.3-4ubuntu2.17 php7.4-cgi 7.4.3-4ubuntu2.17 php7.4-cli 7.4.3-4ubuntu2.17 php7.4-sqlite3 7.4.3-4ubuntu2.17 Ubuntu 18.04 LTS: libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.16 php7.2 7.2.24-0ubuntu0.18.04.16 php7.2-cgi 7.2.24-0ubuntu0.18.04.16 php7.2-cli 7.2.24-0ubuntu0.18.04.16 php7.2-sqlite3 7.2.24-0ubuntu0.18.04.16 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5818-1 CVE-2022-31631 Package Information: https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.2 https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.10 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.17 https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.16 signature.asc Description: PGP signature
[USN-5810-2] Git regression
== Ubuntu Security Notice USN-5810-2 January 19, 2023 git regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-5810-1 introduced a regression in Git. Software Description: - git: fast, scalable, distributed revision control system Details: USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Original advisory details: Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-23521) Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-41903) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: git 1:2.25.1-1ubuntu3.8 Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.15 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5810-2 https://ubuntu.com/security/notices/USN-5810-1 https://launchpad.net/bugs/2003246 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.8 https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.15 signature.asc Description: PGP signature
[USN-5811-2] Sudo vulnerability
== Ubuntu Security Notice USN-5811-2 January 18, 2023 sudo vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Sudo could be made to possibly edit arbitrary files if it received a specially crafted input. Software Description: - sudo: Provide limited super user privileges to specific users Details: USN-5811-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly handled user-specified editors when using the sudoedit command. A local attacker that has permission to use the sudoedit command could possibly use this issue to edit arbitrary files. (CVE-2023-22809) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: sudo1.8.16-0ubuntu1.10+esm1 sudo-ldap 1.8.16-0ubuntu1.10+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5811-2 https://ubuntu.com/security/notices/USN-5811-1 CVE-2023-22809 signature.asc Description: PGP signature
[USN-5810-1] Git vulnerabilities
== Ubuntu Security Notice USN-5810-1 January 17, 2023 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-23521) Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-41903) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: git 1:2.37.2-1ubuntu1.2 Ubuntu 22.04 LTS: git 1:2.34.1-1ubuntu1.6 Ubuntu 20.04 LTS: git 1:2.25.1-1ubuntu3.7 Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.14 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5810-1 CVE-2022-23521, CVE-2022-41903 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.37.2-1ubuntu1.2 https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.6 https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.7 https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.14 signature.asc Description: PGP signature
[USN-5795-2] Net-SNMP vulnerabilities
== Ubuntu Security Notice USN-5795-2 January 16, 2023 net-snmp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Net-SNMP. Software Description: - net-snmp: SNMP (Simple Network Management Protocol) server and applications Details: USN-5795-1 and 5543-1 fixed several vulnerabilities in Net-SNMP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: It was discovered that Net-SNMP incorrectly handled certain requests. A remote attacker could possibly use these issues to cause Net-SNMP to crash, resulting in a denial of service. Yu Zhang and Nanyu Zhong discovered that Net-SNMP incorrectly handled memory operations when processing certain requests. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libsnmp30 5.7.3+dfsg-1ubuntu4.6+esm1 snmp5.7.3+dfsg-1ubuntu4.6+esm1 snmpd 5.7.3+dfsg-1ubuntu4.6+esm1 Ubuntu 14.04 ESM: libsnmp30 5.7.2~dfsg-8.1ubuntu3.3+esm3 snmp5.7.2~dfsg-8.1ubuntu3.3+esm3 snmpd 5.7.2~dfsg-8.1ubuntu3.3+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5795-2 https://ubuntu.com/security/notices/USN-5795-1 CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, CVE-2022-24809, CVE-2022-24810, CVE-2022-44792, CVE-2022-44793 signature.asc Description: PGP signature
[USN-5796-2] w3m vulnerability
== Ubuntu Security Notice USN-5796-2 January 10, 2023 w3m vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: w3m could be made to crash or run programs as your login if it opened a malicious website. Software Description: - w3m: WWW browsable pager with excellent tables/frames support Details: USN-5796-1 fixed a vulnerability in w3m. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that w3m incorrectly handled certain HTML files. A remote attacker could use this issue to cause w3m to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: w3m 0.5.3-15ubuntu0.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5796-2 https://ubuntu.com/security/notices/USN-5796-1 CVE-2022-38223 signature.asc Description: PGP signature
[USN-5761-2] ca-certificates update
== Ubuntu Security Notice USN-5761-2 December 06, 2022 ca-certificates update == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: A distrusted certificate authority has been removed from ca-certificates. Software Description: - ca-certificates: Common CA certificates Details: USN-5761-1 updated ca-certificates. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Due to security concerns, the TrustCor certificate authority has been marked as distrusted in Mozilla's root store. This update removes the TrustCor CA certificates from the ca-certificates package. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: ca-certificates 20211016~16.04.1~esm2 Ubuntu 14.04 ESM: ca-certificates 20211016~14.04.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5761-2 https://ubuntu.com/security/notices/USN-5761-1 https://launchpad.net/bugs/XX signature.asc Description: PGP signature
[USN-5762-1] GNU binutils vulnerability
== Ubuntu Security Notice USN-5762-1 December 05, 2022 binutils vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: GNU binutils could be made to crash or execute arbitrary code if it received a specially crafted COFF file. Software Description: - binutils: GNU assembler, linker and binary utilities Details: It was discovered that GNU binutils incorrectly handled certain COFF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: binutils2.39-3ubuntu1.1 binutils-multiarch 2.39-3ubuntu1.1 Ubuntu 22.04 LTS: binutils2.38-4ubuntu2.1 binutils-multiarch 2.38-4ubuntu2.1 Ubuntu 20.04 LTS: binutils2.34-6ubuntu1.4 binutils-multiarch 2.34-6ubuntu1.4 Ubuntu 18.04 LTS: binutils2.30-21ubuntu1~18.04.8 binutils-multiarch 2.30-21ubuntu1~18.04.8 Ubuntu 16.04 ESM: binutils2.26.1-1ubuntu1~16.04.8+esm5 binutils-multiarch 2.26.1-1ubuntu1~16.04.8+esm5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5762-1 CVE-2022-38533 Package Information: https://launchpad.net/ubuntu/+source/binutils/2.39-3ubuntu1.1 https://launchpad.net/ubuntu/+source/binutils/2.38-4ubuntu2.1 https://launchpad.net/ubuntu/+source/binutils/2.34-6ubuntu1.4 https://launchpad.net/ubuntu/+source/binutils/2.30-21ubuntu1~18.04.8 signature.asc Description: PGP signature
[USN-5760-1] libxml2 vulnerabilities
== Ubuntu Security Notice USN-5760-1 December 05, 2022 libxml2 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in libxml2. Software Description: - libxml2: GNOME XML library Details: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a crash. (CVE-2022-2309) It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information or cause a crash. (CVE-2022-40303) It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-40304) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libxml2 2.9.14+dfsg-1ubuntu0.1 libxml2-utils 2.9.14+dfsg-1ubuntu0.1 Ubuntu 22.04 LTS: libxml2 2.9.13+dfsg-1ubuntu0.2 libxml2-utils 2.9.13+dfsg-1ubuntu0.2 Ubuntu 20.04 LTS: libxml2 2.9.10+dfsg-5ubuntu0.20.04.5 libxml2-utils 2.9.10+dfsg-5ubuntu0.20.04.5 Ubuntu 18.04 LTS: libxml2 2.9.4+dfsg1-6.1ubuntu1.8 libxml2-utils 2.9.4+dfsg1-6.1ubuntu1.8 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5760-1 CVE-2022-2309, CVE-2022-40303, CVE-2022-40304 Package Information: https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.2 https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.5 https://launchpad.net/ubuntu/+source/libxml2/2.9.4+dfsg1-6.1ubuntu1.8 signature.asc Description: PGP signature
[USN-5716-2] SQLite vulnerability
== Ubuntu Security Notice USN-5716-2 November 21, 2022 sqlite3 vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: SQLite could be made to crash or run programs if it received specially crafted input. Software Description: - sqlite3: C library that implements an SQL database engine Details: USN-5716-1 fixed a vulnerability in SQLite. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that SQLite incorrectly handled certain long string arguments. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: libsqlite3-03.8.2-1ubuntu2.2+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5716-2 https://ubuntu.com/security/notices/USN-5716-1 CVE-2022-35737 signature.asc Description: PGP signature
[USN-5658-3] DHCP vulnerabilities
== Ubuntu Security Notice USN-5658-3 November 21, 2022 isc-dhcp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: Several security issues were fixed in DHCP. Software Description: - isc-dhcp: DHCP server and client Details: USN-5658-1 fixed several vulnerabilities in DHCP. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of service. (CVE-2022-2928) It was discovered that DHCP incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause DHCP clients and servers to consume resources, leading to a denial of service. (CVE-2022-2929) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: isc-dhcp-client 4.2.4-7ubuntu12.13+esm2 isc-dhcp-server 4.2.4-7ubuntu12.13+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5658-3 https://ubuntu.com/security/notices/USN-5658-1 CVE-2022-2928, CVE-2022-2929 signature.asc Description: PGP signature
[USN-5686-3] Git vulnerabilities
== Ubuntu Security Notice USN-5686-3 November 21, 2022 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: USN-5686-1 fixed vulnerabilities in Git. This update provides the corresponding updates for Ubuntu 22.10. Original advisory details: Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour. (CVE-2022-39253) Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution. (CVE-2022-39260) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: git 1:2.37.2-1ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5686-3 https://ubuntu.com/security/notices/USN-5686-1 CVE-2022-39253, CVE-2022-39260 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.37.2-1ubuntu1.1 signature.asc Description: PGP signature
[USN-5625-2] Mako vulnerability
== Ubuntu Security Notice USN-5625-2 November 15, 2022 mako vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 Summary: Mako could be made to denial of service if it received a specially crafted regular expression. Software Description: - mako: fast and lightweight templating for the Python platform Details: USN-5625-1 fixed a vulnerability in Mako. This update provides the corresponding updates for Ubuntu 22.10. Original advisory details: It was discovered that Mako incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: python3-mako1.1.3+ds1-3ubuntu2.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5625-2 https://ubuntu.com/security/notices/USN-5625-1 CVE-2022-40023 Package Information: https://launchpad.net/ubuntu/+source/mako/1.1.3+ds1-3ubuntu2.1 signature.asc Description: PGP signature
[USN-5717-1] PHP vulnerabilities
== Ubuntu Security Notice USN-5717-1 November 08, 2022 php7.2, php7.4, php8.1 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter - php7.2: HTML-embedded scripting language interpreter Details: It was discovered that PHP incorrectly handled certain gzip files. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-31628) It was discovered that PHP incorrectly handled certain cookies. An attacker could possibly use this issue to compromise the data (CVE-2022-31629) It was discovered that PHP incorrectly handled certain image fonts. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS. (CVE-2022-31630) Nicky Mouha discovered that PHP incorrectly handled certain SHA-3 operations. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.10, and Ubuntu 22.04 LTS. (CVE-2022-37454) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libapache2-mod-php7.4 8.1.7-1ubuntu3.1 libapache2-mod-php8.0 8.1.7-1ubuntu3.1 libapache2-mod-php8.1 8.1.7-1ubuntu3.1 php8.1 8.1.7-1ubuntu3.1 php8.1-cgi 8.1.7-1ubuntu3.1 php8.1-cli 8.1.7-1ubuntu3.1 php8.1-zip 8.1.7-1ubuntu3.1 Ubuntu 22.04 LTS: libapache2-mod-php7.4 8.1.2-1ubuntu2.8 libapache2-mod-php8.0 8.1.2-1ubuntu2.8 libapache2-mod-php8.1 8.1.2-1ubuntu2.8 php8.1 8.1.2-1ubuntu2.8 php8.1-cgi 8.1.2-1ubuntu2.8 php8.1-cli 8.1.2-1ubuntu2.8 php8.1-zip 8.1.2-1ubuntu2.8 Ubuntu 20.04 LTS: libapache2-mod-php7.4 7.4.3-4ubuntu2.15 php7.4 7.4.3-4ubuntu2.15 php7.4-cgi 7.4.3-4ubuntu2.15 php7.4-cli 7.4.3-4ubuntu2.15 php7.4-zip 7.4.3-4ubuntu2.15 Ubuntu 18.04 LTS: libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.15 php7.2 7.2.24-0ubuntu0.18.04.15 php7.2-cgi 7.2.24-0ubuntu0.18.04.15 php7.2-cli 7.2.24-0ubuntu0.18.04.15 php7.2-zip 7.2.24-0ubuntu0.18.04.15 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5717-1 CVE-2022-31628, CVE-2022-31629, CVE-2022-31630, CVE-2022-37454 Package Information: https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.1 https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.8 https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.15 https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.15 signature.asc Description: PGP signature
[USN-5711-2] NTFS-3G vulnerability
== Ubuntu Security Notice USN-5711-2 November 03, 2022 ntfs-3g vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: NTFS-3G could be made to crash or run programs as an administrator if it mounted a specially crafted disk. Software Description: - ntfs-3g: read/write NTFS driver for FUSE Details: USN-5711-1 fixed a vulnerability in NTFS-3G. This update provides the corresponding update for Ubuntu 14.04 ESM Ubuntu 16.04 ESM. Original advisory details: Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated certain NTFS metadata. A local attacker could possibly use this issue to gain privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: ntfs-3g 1:2015.3.14AR.1-1ubuntu0.3+esm4 Ubuntu 14.04 ESM: ntfs-3g 1:2013.1.13AR.1-2ubuntu2+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5711-2 https://ubuntu.com/security/notices/USN-5711-1 CVE-2022-40284 signature.asc Description: PGP signature
[USN-5708-1] backport-iwlwifi-dkms vulnerabilities
== Ubuntu Security Notice USN-5708-1 November 01, 2022 backport-iwlwifi-dkms vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in backport-iwlwifi-dkms. Software Description: - backport-iwlwifi-dkms: iwlwifi driver backport in DKMS format Details: Sönke Huster discovered that an integer overflow vulnerability existed in the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2022-41674) Sönke Huster discovered that a use-after-free vulnerability existed in the WiFi driver stack in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2022-42719) Sönke Huster discovered that the WiFi driver stack in the Linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2022-42720) Sönke Huster discovered that the WiFi driver stack in the Linux kernel did not properly handle BSSID/SSID lists in some situations. A physically proximate attacker could use this to cause a denial of service (infinite loop). (CVE-2022-42721) Sönke Huster discovered that the WiFi driver stack in the Linux kernel contained a NULL pointer dereference vulnerability in certain situations. A physically proximate attacker could use this to cause a denial of service (system crash). This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.10. (CVE-2022-42722) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: backport-iwlwifi-dkms 9904-0ubuntu3.1 Ubuntu 22.04 LTS: backport-iwlwifi-dkms 9858-0ubuntu3.1 Ubuntu 20.04 LTS: backport-iwlwifi-dkms 8324-0ubuntu3~20.04.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5708-1 CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722, https://launchpad.net/bugs/1994525 Package Information: https://launchpad.net/ubuntu/+source/backport-iwlwifi-dkms/9904-0ubuntu3.1 https://launchpad.net/ubuntu/+source/backport-iwlwifi-dkms/9858-0ubuntu3.1 https://launchpad.net/ubuntu/+source/backport-iwlwifi-dkms/8324-0ubuntu3~20.04.5 signature.asc Description: PGP signature
[USN-5698-2] Open vSwitch vulnerability
== Ubuntu Security Notice USN-5698-2 October 25, 2022 openvswitch vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Open vSwitch could be made to crash or run programs if it received specially crafted network traffic. Software Description: - openvswitch: Ethernet virtual switch Details: USN-5698-1 fixed a vulnerability in Open. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: openvswitch-common 2.5.9-0ubuntu0.16.04.3+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5698-2 https://ubuntu.com/security/notices/USN-5698-1 CVE-2022-32166 signature.asc Description: PGP signature
[USN-5689-1] Perl vulnerability
== Ubuntu Security Notice USN-5689-1 October 19, 2022 perl vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Perl could be made to by pass signature verification. Software Description: - perl: Practical Extraction and Report Language Details: It was discovered that Perl incorrectly handled certain signature verification. An remote attacker could possibly use this issue to bypass signature verification. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: perl5.34.0-3ubuntu1.1 Ubuntu 20.04 LTS: perl5.30.0-9ubuntu0.3 Ubuntu 18.04 LTS: perl5.26.1-6ubuntu0.6 Ubuntu 16.04 ESM: perl5.22.1-9ubuntu0.9+esm1 Ubuntu 14.04 ESM: perl5.18.2-2ubuntu1.7+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5689-1 CVE-2020-16156 Package Information: https://launchpad.net/ubuntu/+source/perl/5.34.0-3ubuntu1.1 https://launchpad.net/ubuntu/+source/perl/5.30.0-9ubuntu0.3 https://launchpad.net/ubuntu/+source/perl/5.26.1-6ubuntu0.6 signature.asc Description: PGP signature
[USN-5686-1] Git vulnerabilities
== Ubuntu Security Notice USN-5686-1 October 18, 2022 git vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Git. Software Description: - git: fast, scalable, distributed revision control system Details: Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour. (CVE-2022-39253) Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution. (CVE-2022-39260) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: git 1:2.34.1-1ubuntu1.5 Ubuntu 20.04 LTS: git 1:2.25.1-1ubuntu3.6 Ubuntu 18.04 LTS: git 1:2.17.1-1ubuntu0.13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5686-1 CVE-2022-39253, CVE-2022-39260 Package Information: https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.5 https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.6 https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.13 signature.asc Description: PGP signature
[USN-5666-1] OpenSSH vulnerability
== Ubuntu Security Notice USN-5666-1 October 10, 2022 openssh vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: OpenSSH could be made to run arbitrary code if it some non-default configuration are in use. Software Description: - openssh: secure shell (SSH) for secure access to remote machines Details: It was discovered that OpenSSH incorrectly handled certain helper programs. An attacker could possibly use this issue to arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: openssh-server 1:7.2p2-4ubuntu2.10+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5666-1 CVE-2021-41617 signature.asc Description: PGP signature
[USN-5651-2] strongSwan vulnerability
== Ubuntu Security Notice USN-5651-2 October 03, 2022 strongswan vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: strongSwan could be made do denial of service if it received a specially crafted certificate. Software Description: - strongswan: IPsec VPN solution Details: USN-5651-1 fixed a vulnerability in strongSwan. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points (CDP) in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libstrongswan 5.3.5-1ubuntu3.8+esm3 strongswan 5.3.5-1ubuntu3.8+esm3 Ubuntu 14.04 ESM: libstrongswan 5.1.2-0ubuntu2.11+esm3 strongswan 5.1.2-0ubuntu2.11+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5651-2 https://ubuntu.com/security/notices/USN-5651-1 CVE-2022-40617 signature.asc Description: PGP signature
[USN-5651-1] strongSwan vulnerability
== Ubuntu Security Notice USN-5651-1 October 03, 2022 strongswan vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: strongSwan could be made do denial of service if it received a specially crafted certificate. Software Description: - strongswan: IPsec VPN solution Details: Lahav Schlesinger discovered that strongSwan incorrectly handled certain OCSP URIs and and CRL distribution points (CDP) in certificates. A remote attacker could possibly use this issue to initiate IKE_SAs and send crafted certificates that contain URIs pointing to servers under their control, which can lead to a denial-of-service attack. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libstrongswan 5.9.5-2ubuntu2.1 strongswan 5.9.5-2ubuntu2.1 Ubuntu 20.04 LTS: libstrongswan 5.8.2-1ubuntu3.5 strongswan 5.8.2-1ubuntu3.5 Ubuntu 18.04 LTS: libstrongswan 5.6.2-1ubuntu2.9 strongswan 5.6.2-1ubuntu2.9 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5651-1 CVE-2022-40617 Package Information: https://launchpad.net/ubuntu/+source/strongswan/5.9.5-2ubuntu2.1 https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.5 https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.9 signature.asc Description: PGP signature
[USN-5636-1] SoS vulnerability
== Ubuntu Security Notice USN-5636-1 September 26, 2022 sosreport vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: SoS could be made do expose sensitive information. Software Description: - sosreport: Set of tools to gather troubleshooting data from a system Details: It was discovered that SoS incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: sosreport 4.3-1ubuntu2.1 Ubuntu 20.04 LTS: sosreport 4.3-1ubuntu0.20.04.2 Ubuntu 18.04 LTS: sosreport 4.3-1ubuntu0.18.04.2 Ubuntu 16.04 ESM: sosreport 3.9.1-1ubuntu0.16.04.2+esm1 Ubuntu 14.04 ESM: sosreport 3.5-1~ubuntu14.04.3+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5636-1 CVE-2022-2806 Package Information: https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu2.1 https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.20.04.2 https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.18.04.2 signature.asc Description: PGP signature
[USN-5626-2] Bind vulnerabilities
== Ubuntu Security Notice USN-5626-2 September 21, 2022 bind9 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: USN-5626-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. (CVE-2022-2795) It was discovered that Bind incorrectly handled memory when processing ECDSA DNSSEC verification. A remote attacker could use this issue to consume resources, leading to a denial of service. (CVE-2022-38177) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: bind9 1:9.10.3.dfsg.P4-8ubuntu1.19+esm3 Ubuntu 14.04 ESM: bind9 1:9.9.5.dfsg-3ubuntu0.19+esm7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5626-2 https://ubuntu.com/security/notices/USN-5626-1 CVE-2022-2795, CVE-2022-38177 signature.asc Description: PGP signature
[USN-5625-1] Mako vulnerability
== Ubuntu Security Notice USN-5625-1 September 21, 2022 mako vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Mako could be made to denial of service if it received a specially crafted regular expression. Software Description: - mako: documentation for the Mako Python library Details: It was discovered that Mako incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: python3-mako1.1.3+ds1-2ubuntu0.1 Ubuntu 20.04 LTS: python-mako 1.1.0+ds1-1ubuntu2.1 python3-mako1.1.0+ds1-1ubuntu2.1 Ubuntu 18.04 LTS: python-mako 1.0.7+ds1-1ubuntu0.2 python3-mako1.0.7+ds1-1ubuntu0.2 Ubuntu 16.04 ESM: python-mako 1.0.3+ds1-1ubuntu1+esm1 python3-mako1.0.3+ds1-1ubuntu1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5625-1 CVE-2022-40023 Package Information: https://launchpad.net/ubuntu/+source/mako/1.1.3+ds1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/mako/1.1.0+ds1-1ubuntu2.1 https://launchpad.net/ubuntu/+source/mako/1.0.7+ds1-1ubuntu0.2 signature.asc Description: PGP signature
[USN-5606-2] poppler regression
== Ubuntu Security Notice USN-5606-2 September 14, 2022 poppler regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: USN-5606-1 caused a regression in poppler. Software Description: - poppler: PDF rendering library Details: USN-5606-1 fixed a vulnerability in poppler. Unfortunately it was missing a commit to fix it properly. This update provides the corresponding fix for Ubuntu 18.04 LTS and Ubuntu 16.04 ESM. We apologize for the inconvenience. Original advisory details: It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: libpoppler-private-dev 0.62.0-2ubuntu2.14 libpoppler730.62.0-2ubuntu2.14 poppler-utils 0.62.0-2ubuntu2.14 Ubuntu 16.04 ESM: libpoppler-private-dev 0.41.0-0ubuntu1.16+esm2 libpoppler580.41.0-0ubuntu1.16+esm2 poppler-utils 0.41.0-0ubuntu1.16+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5606-2 https://ubuntu.com/security/notices/USN-5606-1 https://launchpad.net/bugs/1989515 Package Information: https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.14 signature.asc Description: PGP signature
[USN-5607-1] GDK-PixBuf vulnerability
== Ubuntu Security Notice USN-5607-1 September 13, 2022 gdk-pixbuf vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: GDK-PixBuf could be made do execute arbitrary code or crash if it received a specially crafted image. Software Description: - gdk-pixbuf: GDK Pixbuf library Details: It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libgdk-pixbuf-2.0-0 2.42.8+dfsg-1ubuntu0.1 Ubuntu 20.04 LTS: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.4 After a standard system update you need to restart your session to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5607-1 CVE-2021-44648 Package Information: https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.42.8+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.40.0+dfsg-3ubuntu0.4 signature.asc Description: PGP signature
