[USN-6995-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6995-1 September 09, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-7521, CVE-2024-7526, CVE-2024-7527, CVE-2024-7529, CVE-2024-8382) It was discovered that Thunderbird did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2024-7519) Irvan Kurniawan discovered that Thunderbird did not properly check an attribute value in the editor component, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-7522) Rob Wu discovered that Thunderbird did not properly check permissions when creating a StreamFilter. An attacker could possibly use this issue to modify response body of requests on any site using a web extension. (CVE-2024-7525) Nils Bars discovered that Thunderbird contained a type confusion vulnerability when performing certain property name lookups. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-8381) It was discovered that Thunderbird did not properly manage memory during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-8384) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS thunderbird 1:115.15.0+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS thunderbird 1:115.15.0+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6995-1 CVE-2024-7519, CVE-2024-7521, CVE-2024-7522, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7529, CVE-2024-8381, CVE-2024-8382, CVE-2024-8384 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.15.0+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.15.0+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6982-1] Dovecot vulnerabilities
== Ubuntu Security Notice USN-6982-1 September 02, 2024 dovecot vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in Dovecot. Software Description: - dovecot: IMAP and POP3 email server Details: It was discovered that Dovecot did not not properly have restrictions on ithe size of address headers. A remote attacker could possibly use this issue to cause denial of service. (CVE-2024-23184, CVE-2024-23185) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS dovecot-core1:2.3.21+dfsg1-2ubuntu6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6982-1 CVE-2024-23184, CVE-2024-23185 Package Information: https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfsg1-2ubuntu6 signature.asc Description: PGP signature
[USN-6969-1] Cacti vulnerabilities
==
Ubuntu Security Notice USN-6969-1
August 20, 2024
cacti vulnerabilities
==
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Cacti.
Software Description:
- cacti: web interface for graphing of monitoring systems
Details:
It was discovered that Cacti did not properly apply checks to the "Package
Import" feature. An attacker could possibly use this issue to perform
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)
It was discovered that Cacti did not properly sanitize values when using
javascript based API. A remote attacker could possibly use this issue to
inject arbitrary javascript code resulting into cross-site scripting
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)
It was discovered that Cacti did not properly sanitize values when managing
data queries. A remote attacker could possibly use this issue to inject
arbitrary javascript code resulting into cross-site scripting
vulnerability. (CVE-2024-31443)
It was discovered that Cacti did not properly sanitize values when reading
tree rules with Automation API. A remote attacker could possibly use this
issue to inject arbitrary javascript code resulting into cross-site
scripting vulnerability. (CVE-2024-31444)
It was discovered that Cacti did not properly sanitize
"get_request_var('filter')" values in the "api_automation.php" file. A
remote attacker could possibly use this issue to perform SQL injection
attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31445)
It was discovered that Cacti did not properly sanitize data stored in
"form_save()" function in the "graph_template_inputs.php" file. A remote
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2024-31458)
It was discovered that Cacti did not properly validate the file urls from
the lib/plugin.php file. An attacker could possibly use this issue to
perform arbitrary code execution. (CVE-2024-31459)
It was discovered that Cacti did not properly validate the data stored in
the "automation_tree_rules.php". A remote attacker could possibly use this
issue to perform SQL injection attacks. This issue only affected Ubuntu
24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
(CVE-2024-31460)
It was discovered that Cacti did not properly verify the user password.
An attacker could possibly use this issue to bypass authentication
mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
cacti 1.2.26+ds1-1ubuntu0.1
Ubuntu 22.04 LTS
cacti 1.2.19+ds1-2ubuntu1.1
Ubuntu 20.04 LTS
cacti 1.2.10+ds1-1ubuntu1.1
Ubuntu 18.04 LTS
cacti 1.1.38+ds1-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
cacti 0.8.8f+ds1-4ubuntu4.16.04.2+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
cacti 0.8.8b+dfsg-5ubuntu0.2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6969-1
CVE-2024-25641, CVE-2024-29894, CVE-2024-31443, CVE-2024-31444,
CVE-2024-31445, CVE-2024-31458, CVE-2024-31459, CVE-2024-31460,
CVE-2024-34340
Package Information:
https://launchpad.net/ubuntu/+source/cacti/1.2.26+ds1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/cacti/1.2.19+ds1-2ubuntu1.1
https://launchpad.net/ubuntu/+source/cacti/1.2.10+ds1-1ubuntu1.1
signature.asc
Description: PGP signature
[USN-6966-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6966-1 August 19, 2024 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-7518, CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, CVE-2024-7530, CVE-2024-7531) It was discovered that Firefox did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2024-7519) Nan Wang discovered that Firefox did not properly handle type check in WebAssembly. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2024-7520) Irvan Kurniawan discovered that Firefox did not properly check an attribute value in the editor component, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-7522) Rob Wu discovered that Firefox did not properly check permissions when creating a StreamFilter. An attacker could possibly use this issue to modify response body of requests on any site using a web extension. (CVE-2024-7525) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 129.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes References: https://ubuntu.com/security/notices/USN-6966-1 CVE-2024-7518, CVE-2024-7519, CVE-2024-7520, CVE-2024-7521, CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, CVE-2024-7530, CVE-2024-7531 Package Information: https://launchpad.net/ubuntu/+source/firefox/129.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6916-1] Lua vulnerabilities
== Ubuntu Security Notice USN-6916-1 July 29, 2024 lua5.4 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Lua. Software Description: - lua5.4: Simple, extensible, embeddable programming language Details: It was discovered that Lua did not properly generate code when "_ENV" is constant. An attacker could possibly use this issue to cause a denial of service or execute arbitrary unstrusted lua code. (CVE-2022-28805) It was discovered that Lua did not properly handle C stack overflows during error handling. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-33099) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS lua5.4 5.4.4-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6916-1 CVE-2022-28805, CVE-2022-33099 signature.asc Description: PGP signature
[USN-6903-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6903-1 July 22, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-6600, CVE-2024-6601, CVE-2024-6604) Ronald Crane discovered that Thunderbird did not properly manage certain memory operations in the NSS. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-6602) Irvan Kurniawan discovered that Thunderbird did not properly manage memory during thread creation. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-6603) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS thunderbird 1:115.13.0+build5-0ubuntu0.22.04.1 Ubuntu 20.04 LTS thunderbird 1:115.13.0+build5-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6903-1 CVE-2024-6600, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603, CVE-2024-6604 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.13.0+build5-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.13.0+build5-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6886-1] Go vulnerabilities
== Ubuntu Security Notice USN-6886-1 July 09, 2024 golang-1.21, golang-1.22 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Go. Software Description: - golang-1.21: Go programming language compiler - golang-1.22: Go programming language compiler Details: It was discovered that the Go net/http module did not properly handle the requests when request\'s headers exceed MaxHeaderBytes. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45288) It was discovered that the Go net/http module did not properly validate the subdomain match or exact match of the initial domain. An attacker could possibly use this issue to read sensitive information. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289) It was discovered that the Go net/http module did not properly validate the total size of the parsed form when parsing a multipart form. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45290) It was discovered that the Go crypto/x509 module did not properly handle a certificate chain which contains a certificate with an unknown public key algorithm. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-24783) It was discovered that the Go net/mail module did not properly handle comments within display names in the ParseAddressList function. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-24784) It was discovered that the Go html/template module did not validate errors returned from MarshalJSON methods. An attacker could possibly use this issue to inject arbitrary code into the Go template. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-24785) It was discovered that the Go net module did not properly validate the DNS message in response to a query. An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue only affected Go 1.22. (CVE-2024-24788) It was discovered that the Go archive/zip module did not properly handle certain types of invalid zip files differs from the behavior of most zip implementations. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2024-24789) It was discovered that the Go net/netip module did not work as expected for IPv4-mapped IPv6 addresses in various Is methods. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2024-24790) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS golang-1.21 1.21.9-1ubuntu0.1 golang-1.21-go 1.21.9-1ubuntu0.1 golang-1.21-src 1.21.9-1ubuntu0.1 golang-1.22 1.22.2-2ubuntu0.1 golang-1.22-go 1.22.2-2ubuntu0.1 golang-1.22-src 1.22.2-2ubuntu0.1 Ubuntu 22.04 LTS golang-1.21 1.21.1-1~ubuntu22.04.3 golang-1.21-go 1.21.1-1~ubuntu22.04.3 golang-1.21-src 1.21.1-1~ubuntu22.04.3 golang-1.22 1.22.2-2~22.04.1 golang-1.22-go 1.22.2-2~22.04.1 golang-1.22-src 1.22.2-2~22.04.1 Ubuntu 20.04 LTS golang-1.21 1.21.1-1~ubuntu20.04.3 golang-1.21-go 1.21.1-1~ubuntu20.04.3 golang-1.21-src 1.21.1-1~ubuntu20.04.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6886-1 CVE-2023-45288, CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785, CVE-2024-24788, CVE-2024-24789, CVE-2024-24790 Package Information: https://launchpad.net/ubuntu/+source/golang-1.21/1.21.9-1ubuntu0.1 https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2ubuntu0.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu22.04.3 https://launchpad.net/ubuntu/+source/golang-1.22/1.22.2-2~22.04.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu20.04.3 signature.asc Description: PGP signature
[USN-6858-1] eSpeak NG vulnerabilities
== Ubuntu Security Notice USN-6858-1 July 01, 2024 espeak-ng vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in eSpeak NG. Software Description: - espeak-ng: Multi-lingual software speech synthesizer Details: It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2023-49990, CVE-2023-49991, CVE-2023-49992, CVE-2023-49993, CVE-2023-49994) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 espeak-ng 1.51+dfsg-11ubuntu0.1 espeak-ng-espeak1.51+dfsg-11ubuntu0.1 Ubuntu 22.04 LTS espeak-ng 1.50+dfsg-10ubuntu0.1 espeak-ng-espeak1.50+dfsg-10ubuntu0.1 Ubuntu 20.04 LTS espeak-ng 1.50+dfsg-6ubuntu0.1 espeak-ng-espeak1.50+dfsg-6ubuntu0.1 Ubuntu 18.04 LTS espeak-ng 1.49.2+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro espeak-ng-espeak1.49.2+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6858-1 CVE-2023-49990, CVE-2023-49991, CVE-2023-49992, CVE-2023-49993, CVE-2023-49994 Package Information: https://launchpad.net/ubuntu/+source/espeak-ng/1.51+dfsg-11ubuntu0.1 https://launchpad.net/ubuntu/+source/espeak-ng/1.50+dfsg-10ubuntu0.1 https://launchpad.net/ubuntu/+source/espeak-ng/1.50+dfsg-6ubuntu0.1 signature.asc Description: PGP signature
[USN-6840-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6840-1 June 19, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.(CVE-2024-5688, CVE-2024-5690, CVE-2024-5696, CVE-2024-5700, CVE-2024-5702) Luan Herrera discovered that Thunderbird did not properly validate the X-Frame-Options header inside sandboxed iframe. An attacker could potentially exploit this issue to bypass sandbox restrictions to open a new window. (CVE-2024-5691) Kirtikumar Anandrao Ramchandani discovered that Thunderbird did not properly track cross-origin tainting in Offscreen Canvas. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy. (CVE-2024-5693) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 thunderbird 1:115.12.0+build3-0ubuntu0.23.10.1 Ubuntu 22.04 LTS thunderbird 1:115.12.0+build3-0ubuntu0.22.04.1 Ubuntu 20.04 LTS thunderbird 1:115.12.0+build3-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6840-1 CVE-2024-5688, CVE-2024-5690, CVE-2024-5691, CVE-2024-5693, CVE-2024-5696, CVE-2024-5700, CVE-2024-5702 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.12.0+build3-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.12.0+build3-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.12.0+build3-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6779-2] Firefox regressions
== Ubuntu Security Notice USN-6779-2 May 29, 2024 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6779-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6779-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 126.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6779-2 https://ubuntu.com/security/notices/USN-6779-1 https://launchpad.net/bugs/2067445 Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6782-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6782-1 May 22, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4777) Thomas Rinsma discovered that Thunderbird did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Thunderbird did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10 thunderbird 1:115.11.0+build2-0ubuntu0.23.10.1 Ubuntu 22.04 LTS thunderbird 1:115.11.0+build2-0ubuntu0.22.04.1 Ubuntu 20.04 LTS thunderbird 1:115.11.0+build2-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6782-1 CVE-2024-4367, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4777 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.11.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6779-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6779-1 May 21, 2024 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778) Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-4764) Thomas Rinsma discovered that Firefox did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367) Irvan Kurniawan discovered that Firefox did not properly handle certain font styles when saving a page to PDF. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-4770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 126.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6779-1 CVE-2024-4367, CVE-2024-4764, CVE-2024-4767, CVE-2024-4768, CVE-2024-4769, CVE-2024-4770, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778 Package Information: https://launchpad.net/ubuntu/+source/firefox/126.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6747-2] Firefox regressions
== Ubuntu Security Notice USN-6747-2 May 02, 2024 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6747-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6747-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-3852, CVE-2024-3864, CVE-2024-3865) Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3302) Gary Kwong discovered that Firefox did not properly manage memory when running garbage collection during realm initialization. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3853) Lukas Bernhard discovered that Firefox did not properly manage memory during JIT optimisations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3854, CVE-2024-3855) Nan Wang discovered that Firefox did not properly manage memory during WASM garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3856) Lukas Bernhard discovered that Firefox did not properly manage memory when handling JIT created code during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3857) Lukas Bernhard discovered that Firefox did not properly manage memory when tracing in JIT. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3858) Ronald Crane discovered that Firefox did not properly manage memory in the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3859) Garry Kwong discovered that Firefox did not properly manage memory when tracing empty shape lists in JIT. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3860) Ronald Crane discovered that Firefox did not properly manage memory when handling an AlignedBuffer. An attacker could potentially exploit this issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861) Ronald Crane discovered that Firefox did not properly manage memory when handling code in MarkStack. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2024-3862) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS firefox 125.0.3+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6747-2 https://ubuntu.com/security/notices/USN-6747-1 https://launchpad.net/bugs/2064553 Package Information: https://launchpad.net/ubuntu/+source/firefox/125.0.3+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6750-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6750-1 April 25, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852, CVE-2024-3864) Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-3302) Lukas Bernhard discovered that Thunderbird did not properly manage memory during JIT optimisations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3854) Lukas Bernhard discovered that Thunderbird did not properly manage memory when handling JIT created code during garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-3857) Ronald Crane discovered that Thunderbird did not properly manage memory in the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2024-3859) Ronald Crane discovered that Thunderbird did not properly manage memory when handling an AlignedBuffer. An attacker could potentially exploit this issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.10.1+build1-0ubuntu0.23.10.1 Ubuntu 22.04 LTS: thunderbird 1:115.10.1+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.10.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6750-1 CVE-2024-2609, CVE-2024-3302, CVE-2024-3852, CVE-2024-3854, CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6649-2] Firefox regressions
== Ubuntu Security Notice USN-6649-2 March 06, 2024 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6649-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6649-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1553, CVE-2024-1554, CVE-2024-1555, CVE-2024-1557) Alfred Peters discovered that Firefox did not properly manage memory when storing and re-accessing data on a networking channel. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-1546) Johan Carlsson discovered that Firefox incorrectly handled Set-Cookie response headers in multipart HTTP responses. An attacker could potentially exploit this issue to inject arbitrary cookie values. (CVE-2024-1551) Gary Kwong discovered that Firefox incorrectly generated codes on 32-bit ARM devices, which could lead to unexpected numeric conversions or undefined behaviour. An attacker could possibly use this issue to cause a denial of service. (CVE-2024-1552) Ronald Crane discovered that Firefox did not properly manage memory when accessing the built-in profiler. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-1556) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 123.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6649-2 https://ubuntu.com/security/notices/USN-6649-1 https://launchpad.net/bugs/2056258 Package Information: https://launchpad.net/ubuntu/+source/firefox/123.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6669-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6669-1 March 04, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1553) Cornel Ionce discovered that Thunderbird did not properly manage memory when opening the print preview dialog. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-0746) Alfred Peters discovered that Thunderbird did not properly manage memory when storing and re-accessing data on a networking channel. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-1546) Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookie response headers in multipart HTTP responses. An attacker could potentially exploit this issue to inject arbitrary cookie values. (CVE-2024-1551) Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bit ARM devices, which could lead to unexpected numeric conversions or undefined behaviour. An attacker could possibly use this issue to cause a denial of service. (CVE-2024-1552) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.8.1+build1-0ubuntu0.23.10.1 Ubuntu 22.04 LTS: thunderbird 1:115.8.1+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.8.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6669-1 CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552, CVE-2024-1553 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6654-1] Roundcube Webmail vulnerability
== Ubuntu Security Notice USN-6654-1 February 26, 2024 roundcube vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 20.04 LTS (Available with Ubuntu Pro) - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Roundcube Webmail could allow cross-site scripting (XSS) attacks. Software Description: - roundcube: skinnable AJAX based webmail solution for IMAP servers Details: It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. (CVE-2023-43770) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: roundcube 1.6.2+dfsg-1ubuntu0.1 roundcube-core 1.6.2+dfsg-1ubuntu0.1 Ubuntu 22.04 LTS (Available with Ubuntu Pro): roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm2 roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm2 Ubuntu 20.04 LTS (Available with Ubuntu Pro): roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm3 roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm3 roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): roundcube 1.2~beta+dfsg.1-0ubuntu1+esm3 roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6654-1 CVE-2023-43770 Package Information: https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.1 signature.asc Description: PGP signature
[USN-6610-2] Firefox regressions
== Ubuntu Security Notice USN-6610-2 February 07, 2024 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6610-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6610-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742, CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0747, CVE-2024-0748, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0754, CVE-2024-0755) Cornel Ionce discovered that Firefox did not properly manage memory when opening the print preview dialog. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-0746) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 122.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6610-2 https://ubuntu.com/security/notices/USN-6610-1 https://launchpad.net/bugs/2052580 Package Information: https://launchpad.net/ubuntu/+source/firefox/122.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6619-1] runC vulnerability
== Ubuntu Security Notice USN-6619-1 January 31, 2024 runc vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: runC could be made to expose sensitive information or allow to escape contianers. Software Description: - runc: Open Container Project Details: Rory McNamara discovered that runC did not properly manage internal file descriptor while managing containers. An attacker could possibly use this issue to obtain sensitive information or bypass container restrictions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: runc1.1.7-0ubuntu2.2 Ubuntu 22.04 LTS: runc1.1.7-0ubuntu1~22.04.2 Ubuntu 20.04 LTS: runc1.1.7-0ubuntu1~20.04.2 Ubuntu 18.04 LTS (Available with Ubuntu Pro): runc1.1.4-0ubuntu1~18.04.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6619-1 CVE-2024-21626 Package Information: https://launchpad.net/ubuntu/+source/runc/1.1.7-0ubuntu2.2 https://launchpad.net/ubuntu/+source/runc/1.1.7-0ubuntu1~22.04.2 https://launchpad.net/ubuntu/+source/runc/1.1.7-0ubuntu1~20.04.2 signature.asc Description: PGP signature
[USN-6610-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6610-1 January 29, 2024 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742, CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0747, CVE-2024-0748, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0754, CVE-2024-0755) Cornel Ionce discovered that Firefox did not properly manage memory when opening the print preview dialog. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-0746) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 122.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6610-1 CVE-2024-0741, CVE-2024-0742, CVE-2024-0743, CVE-2024-0744, CVE-2024-0745, CVE-2024-0746, CVE-2024-0747, CVE-2024-0748, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0754, CVE-2024-0755 Package Information: https://launchpad.net/ubuntu/+source/firefox/122.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6538-2] PostgreSQL vulnerabilities
== Ubuntu Security Notice USN-6538-2 January 17, 2024 postgresql-10 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-10: Object-relational SQL database Details: USN-6538-1 fixed several vulnerabilities in PostgreSQL. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory details: Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown arguments in aggregate function calls. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-5868) Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying certain SQL array values. A remote attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. (CVE-2023-5869) Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL allowed the pg_signal_backend role to signal certain superuser processes, contrary to expectations. (CVE-2023-5870) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): postgresql-10 10.23-0ubuntu0.18.04.2+esm1 postgresql-client-1010.23-0ubuntu0.18.04.2+esm1 After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6538-2 https://ubuntu.com/security/notices/USN-6538-1 CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 signature.asc Description: PGP signature
[USN-6562-2] Firefox regressions
== Ubuntu Security Notice USN-6562-2 January 11, 2024 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6562-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6562-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code.(CVE-2023-6865, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6866, CVE-2023-6867, CVE-2023-6861, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6863, CVE-2023-6864, CVE-2023-6873) DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2023-6856) George Pantela and Hubert Kario discovered that Firefox using multiple NSS NIST curves which were susceptible to a side-channel attack known as "Minerva". An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-6135) Andrew Osmond discovered that Firefox did not properly validate the textures produced by remote decoders. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2023-6860) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 121.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6562-2 https://ubuntu.com/security/notices/USN-6562-1 https://launchpad.net/bugs/2048961 Package Information: https://launchpad.net/ubuntu/+source/firefox/121.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6574-1] Go vulnerabilities
== Ubuntu Security Notice USN-6574-1 January 11, 2024 Go vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Go. Software Description: - golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Details: Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319) It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time. (CVE-2023-39323) It was discovered that Go did not limit the number of simultaneously executing handler goroutines in the net/http module. An attacker could possibly use this issue to cause a panic resulting into a denial of service. (CVE-2023-39325, CVE-2023-44487) It was discovered that the Go net/http module did not properly validate the chunk extensions reading from a request or response body. An attacker could possibly use this issue to read sensitive information. (CVE-2023-39326) It was discovered that Go did not properly validate the insecure "git://" protocol when using go get to fetch a module with the ".git" suffix. An attacker could possibly use this issue to bypass secure protocol checks. (CVE-2023-45285) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: golang-1.20 1.20.8-1ubuntu0.23.10.1 golang-1.20-go 1.20.8-1ubuntu0.23.10.1 golang-1.20-src 1.20.8-1ubuntu0.23.10.1 golang-1.21 1.21.1-1ubuntu0.23.10.1 golang-1.21-go 1.21.1-1ubuntu0.23.10.1 golang-1.21-src 1.21.1-1ubuntu0.23.10.1 Ubuntu 23.04: golang-1.20 1.20.3-1ubuntu0.2 golang-1.20-go 1.20.3-1ubuntu0.2 golang-1.20-src 1.20.3-1ubuntu0.2 golang-1.21 1.21.1-1~ubuntu23.04.2 golang-1.21-go 1.21.1-1~ubuntu23.04.2 golang-1.21-src 1.21.1-1~ubuntu23.04.2 Ubuntu 22.04 LTS: golang-1.20 1.20.3-1ubuntu0.1~22.04.1 golang-1.20-go 1.20.3-1ubuntu0.1~22.04.1 golang-1.20-src 1.20.3-1ubuntu0.1~22.04.1 golang-1.21 1.21.1-1~ubuntu22.04.2 golang-1.21-go 1.21.1-1~ubuntu22.04.2 golang-1.21-src 1.21.1-1~ubuntu22.04.2 Ubuntu 20.04 LTS: golang-1.20 1.20.3-1ubuntu0.1~20.04.1 golang-1.20-go 1.20.3-1ubuntu0.1~20.04.1 golang-1.20-src 1.20.3-1ubuntu0.1~20.04.1 golang-1.21 1.21.1-1~ubuntu20.04.2 golang-1.21-go 1.21.1-1~ubuntu20.04.2 golang-1.21-src 1.21.1-1~ubuntu20.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6574-1 CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39325, CVE-2023-39326, CVE-2023-44487, CVE-2023-45285 Package Information: https://launchpad.net/ubuntu/+source/golang-1.20/1.20.8-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.2 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu23.04.2 https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~22.04.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu22.04.2 https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~20.04.1 https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu20.04.2 signature.asc Description: PGP signature
[USN-6563-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6563-1 January 02, 2024 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.(CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864) Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could potentially exploit this issue to spoof an email message. (CVE-2023-50762) Marcus Brinkmann discovered that Thunderbird did not properly compare the signature creation date with the message date and time when using digitally signed S/MIME email message. An attacker could potentially exploit this issue to spoof date and time of an email message. (CVE-2023-50761) DoHyun Lee discovered that Thunderbird did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2023-6856) Andrew Osmond discovered that Thunderbird did not properly validate the textures produced by remote decoders. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2023-6860) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.6.0+build2-0ubuntu0.23.10.1 Ubuntu 23.04: thunderbird 1:115.6.0+build2-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:115.6.0+build2-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.6.0+build2-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6563-1 CVE-2023-50761, CVE-2023-50762, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.6.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6562-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6562-1 January 02, 2024 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code.(CVE-2023-6865, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6866, CVE-2023-6867, CVE-2023-6861, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6863, CVE-2023-6864, CVE-2023-6873) DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2023-6856) George Pantela and Hubert Kario discovered that Firefox using multiple NSS NIST curves which were susceptible to a side-channel attack known as "Minerva". An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-6135) Andrew Osmond discovered that Firefox did not properly validate the textures produced by remote decoders. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2023-6860) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 121.0+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6562-1 CVE-2023-6135, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6866, CVE-2023-6867, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6873 Package Information: https://launchpad.net/ubuntu/+source/firefox/121.0+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6508-2] poppler regression
== Ubuntu Security Notice USN-6508-2 November 28, 2023 poppler regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: USN-6508-1 caused some minor regressions in poppler. Software Description: - poppler: PDF rendering library Details: USN-6508-1 fixed vulnerabilities in poppler. The update introduced one minor regression in Ubuntu 18.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-23804) It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-37050, CVE-2022-37051, CVE-2022-37052, CVE-2022-38349) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libpoppler730.62.0-2ubuntu2.14+esm3 poppler-utils 0.62.0-2ubuntu2.14+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6508-2 https://ubuntu.com/security/notices/USN-6508-1 https://launchpad.net/bugs/2045027 signature.asc Description: PGP signature
[USN-6515-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6515-1 November 27, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-6206, CVE-2023-6212) It was discovered that Thudnerbird did not properly manage memory when images were created on the canvas element. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-6204) It discovered that Thunderbird incorrectly handled certain memory when using a MessagePort. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-6205) It discovered that Thunderbird incorrectly did not properly manage ownership in ReadableByteStreams. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-6207) It discovered that Thudnerbird incorrectly did not properly manage copy operations when using Selection API in X11. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-6208) Rachmat Abdul Rokhim discovered that Thunderbird incorrectly handled parsing of relative URLS starting with "///". An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-6209) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.5.0+build1-0ubuntu0.23.10.1 Ubuntu 23.04: thunderbird 1:115.5.0+build1-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:115.5.0+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.5.0+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6515-1 CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.5.0+build1-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.5.0+build1-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.5.0+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.5.0+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6508-1] poppler vulnerabilities
== Ubuntu Security Notice USN-6508-1 November 23, 2023 poppler vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in poppler. Software Description: - poppler: PDF rendering library Details: It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-23804) It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-37050, CVE-2022-37051, CVE-2022-37052, CVE-2022-38349) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libpoppler118 22.02.0-2ubuntu0.3 poppler-utils 22.02.0-2ubuntu0.3 Ubuntu 20.04 LTS: libpoppler970.86.1-0ubuntu1.4 poppler-utils 0.86.1-0ubuntu1.4 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libpoppler730.62.0-2ubuntu2.14+esm2 poppler-utils 0.62.0-2ubuntu2.14+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libpoppler580.41.0-0ubuntu1.16+esm4 poppler-utils 0.41.0-0ubuntu1.16+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6508-1 CVE-2020-23804, CVE-2022-37050, CVE-2022-37051, CVE-2022-37052, CVE-2022-38349 Package Information: https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.3 https://launchpad.net/ubuntu/+source/poppler/0.86.1-0ubuntu1.4 signature.asc Description: PGP signature
[USN-6456-2] Firefox regressions
== Ubuntu Security Notice USN-6456-2 November 14, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6456-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6456-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-5722, CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731) Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking. (CVE-2023-5721) Daniel Veditz discovered that Firefox did not properly validate a cookie containing invalid characters. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-5723) Shaheen Fazim discovered that Firefox did not properly validate the URLs open by installed WebExtension. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-5725) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 119.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6456-2 https://ubuntu.com/security/notices/USN-6456-1 https://launchpad.net/bugs/2043441 Package Information: https://launchpad.net/ubuntu/+source/firefox/119.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6468-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6468-1 November 02, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-5724, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732) Kelsey Gilbert discovered that Thunderbird did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking. (CVE-2023-5721) Shaheen Fazim discovered that Thunderbird did not properly validate the URLs open by installed WebExtension. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-5725) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: thunderbird 1:115.4.1+build1-0ubuntu0.23.10.1 Ubuntu 23.04: thunderbird 1:115.4.1+build1-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:115.4.1+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:115.4.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6468-1 CVE-2023-5721, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5730, CVE-2023-5732 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.23.10.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.4.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6456-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6456-1 October 30, 2023 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-5722, CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731) Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking. (CVE-2023-5721) Daniel Veditz discovered that Firefox did not properly validate a cookie containing invalid characters. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-5723) Shaheen Fazim discovered that Firefox did not properly validate the URLs open by installed WebExtension. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-5725) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 119.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6456-1 CVE-2023-5721, CVE-2023-5722, CVE-2023-5723, CVE-2023-5724, CVE-2023-5725, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731 Package Information: https://launchpad.net/ubuntu/+source/firefox/119.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6362-2] .Net regressions
== Ubuntu Security Notice USN-6362-2 October 25, 2023 .Net regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS Summary: An incomplete fix was discovered in .Net. Software Description: - dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: USN-6362-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~23.04.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-host 6.0.124-0ubuntu1~23.04.1 dotnet-host-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~23.04.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~23.04.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~23.04.1 dotnet6 6.0.124-0ubuntu1~23.04.1 dotnet7 7.0.113-0ubuntu1~23.04.1 Ubuntu 22.04 LTS: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~22.04.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-host 6.0.124-0ubuntu1~22.04.1 dotnet-host-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~22.04.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~22.04.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~22.04.1 dotnet6 6.0.124-0ubuntu1~22.04.1 dotnet7 7.0.113-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6362-2 https://ubuntu.com/security/notices/USN-6362-1 CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208 Package Information: https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.04.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.04.1 https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~22.04.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~22.04.1 signature.asc Description: PGP signature
[USN-6438-2] .Net regressions
== Ubuntu Security Notice USN-6438-2 October 25, 2023 .Net regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: An incomplete fix was discovered in .Net. Software Description: - dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-36799) It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-44487) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: aspnetcore-runtime-6.0 6.0.124-0ubuntu1~23.10.1 aspnetcore-runtime-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-host 6.0.124-0ubuntu1~23.10.1 dotnet-host-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-hostfxr-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-hostfxr-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-runtime-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-runtime-7.0 7.0.113-0ubuntu1~23.10.1 dotnet-sdk-6.0 6.0.124-0ubuntu1~23.10.1 dotnet-sdk-7.0 7.0.113-0ubuntu1~23.10.1 dotnet6 6.0.124-0ubuntu1~23.10.1 dotnet7 7.0.113-0ubuntu1~23.10.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6438-2 https://ubuntu.com/security/notices/USN-6438-1 CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208 Package Information: https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.10.1 https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.10.1 signature.asc Description: PGP signature
[USN-6436-1] FRR vulnerabilities
== Ubuntu Security Notice USN-6436-1 October 18, 2023 frr vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in FRR. Software Description: - frr: FRRouting suite of internet protocols Details: It was discovered that the FRR did not properly check the attribute length in NRLI. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-41358) It was discovered that the FRR did not properly manage memory when reading initial bytes of ORF header. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-41360) It was discovered that FRR did not properly validate the attributes in the BGP FlowSpec functionality. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-41909) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: frr 8.4.2-1ubuntu1.4 Ubuntu 22.04 LTS: frr 8.1-1ubuntu1.6 Ubuntu 20.04 LTS (Available with Ubuntu Pro): frr 7.2.1-1ubuntu0.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6436-1 CVE-2023-41358, CVE-2023-41360, CVE-2023-41909 Package Information: https://launchpad.net/ubuntu/+source/frr/8.4.2-1ubuntu1.4 https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.6 signature.asc Description: PGP signature
[USN-6432-1] Quagga vulnerabilities
== Ubuntu Security Notice USN-6432-1 October 17, 2023 quagga vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Quagga. Software Description: - quagga: BGP/OSPF/RIP routing daemon Details: It was discovered that the Quagga BGP daemon did not properly check the attribute length in NRLI. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-41358) It was discovered that the Quagga BGP daemon did not properly manage memory when reading initial bytes of ORF header. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-41360) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: quagga 1.2.4-4ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): quagga 1.2.4-1ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): quagga 0.99.24.1-2ubuntu1.4+esm1 After a standard system update you need to restart Quagga to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6432-1 CVE-2023-41358, CVE-2023-41360 Package Information: https://launchpad.net/ubuntu/+source/quagga/1.2.4-4ubuntu0.1 signature.asc Description: PGP signature
[USN-6404-2] Firefox regressions
== Ubuntu Security Notice USN-6404-2 October 11, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-6404-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-6404-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-5169, CVE-2023-5170, CVE-2023-5171, CVE-2023-5172, CVE-2023-5175, CVE-2023-5176) Ronald Crane discovered that Firefox did not properly manage memory when non-HTTPS Alternate Services (network.http.altsvc.oe) is enabled. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-5173) Clément Lecigne discovered that Firefox did not properly manage memory when handling VP8 media stream. An attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-5217) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 118.0.2+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6404-2 https://ubuntu.com/security/notices/USN-6404-1 https://launchpad.net/bugs/2038977 Package Information: https://launchpad.net/ubuntu/+source/firefox/118.0.2+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6428-1] LibTIFF vulnerability
== Ubuntu Security Notice USN-6428-1 October 11, 2023 tiff vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: LibTIFF could be made to crash if it opened a specially crafted file. Software Description: - tiff: Tag Image File Format (TIFF) library Details: It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: libtiff-tools 4.5.0-5ubuntu1.2 libtiff64.5.0-5ubuntu1.2 Ubuntu 22.04 LTS: libtiff-tools 4.3.0-6ubuntu0.6 libtiff54.3.0-6ubuntu0.6 Ubuntu 20.04 LTS: libtiff-tools 4.1.0+git191117-2ubuntu0.20.04.10 libtiff54.1.0+git191117-2ubuntu0.20.04.10 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libtiff-tools 4.0.9-5ubuntu0.10+esm3 libtiff54.0.9-5ubuntu0.10+esm3 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libtiff-tools 4.0.6-1ubuntu0.8+esm13 libtiff54.0.6-1ubuntu0.8+esm13 Ubuntu 14.04 LTS (Available with Ubuntu Pro): libtiff-tools 4.0.3-7ubuntu0.11+esm10 libtiff54.0.3-7ubuntu0.11+esm10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6428-1 CVE-2023-1916 Package Information: https://launchpad.net/ubuntu/+source/tiff/4.5.0-5ubuntu1.2 https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.6 https://launchpad.net/ubuntu/+source/tiff/4.1.0+git191117-2ubuntu0.20.04.10 signature.asc Description: PGP signature
[USN-6420-1] Vim vulnerabilities
== Ubuntu Security Notice USN-6420-1 October 09, 2023 vim vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Vim. Software Description: - vim: Vi IMproved - enhanced vi editor Details: It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3235, CVE-2022-3278, CVE-2022-3297, CVE-2022-3491) It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3352, CVE-2022-4292) It was discovered that Vim incorrectly handled memory when replacing in virtualedit mode. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3234) It was discovered that Vim incorrectly handled memory when autocmd changes mark. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3256) It was discovered that Vim did not properly perform checks on array index with negative width window. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2022-3324) It was discovered that Vim did not properly perform checks on a put command column with a visual block. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3520) It was discovered that Vim incorrectly handled memory when using autocommand to open a window. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3591) It was discovered that Vim incorrectly handled memory when updating buffer of the component autocmd handler. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3705) It was discovered that Vim incorrectly handled floating point comparison with incorrect operator. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. and Ubuntu 22.04 LTS. (CVE-2022-4293) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: vim 2:8.2.3995-1ubuntu2.12 vim-athena 2:8.2.3995-1ubuntu2.12 vim-gtk 2:8.2.3995-1ubuntu2.12 vim-gtk32:8.2.3995-1ubuntu2.12 vim-nox 2:8.2.3995-1ubuntu2.12 vim-tiny2:8.2.3995-1ubuntu2.12 xxd 2:8.2.3995-1ubuntu2.12 Ubuntu 20.04 LTS: vim 2:8.1.2269-1ubuntu5.18 vim-athena 2:8.1.2269-1ubuntu5.18 vim-gtk 2:8.1.2269-1ubuntu5.18 vim-gtk32:8.1.2269-1ubuntu5.18 vim-nox 2:8.1.2269-1ubuntu5.18 vim-tiny2:8.1.2269-1ubuntu5.18 xxd 2:8.1.2269-1ubuntu5.18 Ubuntu 18.04 LTS (Available with Ubuntu Pro): vim 2:8.0.1453-1ubuntu1.13+esm5 vim-athena 2:8.0.1453-1ubuntu1.13+esm5 vim-gtk 2:8.0.1453-1ubuntu1.13+esm5 vim-gtk32:8.0.1453-1ubuntu1.13+esm5 vim-nox 2:8.0.1453-1ubuntu1.13+esm5 vim-tiny2:8.0.1453-1ubuntu1.13+esm5 xxd 2:8.0.1453-1ubuntu1.13+esm5 Ubuntu 14.04 LTS (Available with Ubuntu Pro): vim 2:7.4.052-1ubuntu3.1+esm13 vim-athena 2:7.4.052-1ubuntu3.1+esm13 vim-gnome 2:7.4.052-1ubuntu3.1+esm13 vim-gtk 2:7.4.052-1ubuntu3.1+esm13 vim-nox 2:7.4.052-1ubuntu3.1+esm13 vim-tiny2:7.4.052-1ubuntu3.1+esm13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6420-1 CVE-2022-3234, CVE-2022-3235, CVE-2022-3256, CVE-2022-3278, CVE-2022-3297, CVE-2022-3324, CVE-2022-3352, CVE-2022-3491, CVE-2022-3520, CVE-2022-3591, CVE-2022-3705, CVE-2022-4292, CVE-2022-429
[USN-6405-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6405-1 October 03, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-4057, CVE-2023-4577, CVE-2023-4578, CVE-2023-4583, CVE-2023-4585, CVE-2023-5169, CVE-2023-5171, CVE-2023-5176) Andrew McCreight discovered that Thunderbird did not properly manage during the worker lifecycle. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-3600) Harveer Singh discovered that Thunderbird did not store push notifications in private browsing mode in encrypted form. An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-4580) Clément Lecigne discovered that Thunderbird did not properly manage memory when handling VP8 media stream. An attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-5217) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: thunderbird 1:115.3.1+build1-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:115.3.1+build1-0ubuntu0.22.04.2 Ubuntu 20.04 LTS: thunderbird 1:115.3.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6405-1 CVE-2023-3600, CVE-2023-4057, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4583, CVE-2023-4585, CVE-2023-5169, CVE-2023-5171, CVE-2023-5176, CVE-2023-5217 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.22.04.2 https://launchpad.net/ubuntu/+source/thunderbird/1:115.3.1+build1-0ubuntu0.20.04.1 OpenPGP_0xEC873ACED468723C.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
[USN-6404-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6404-1 October 03, 2023 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-5169, CVE-2023-5170, CVE-2023-5171, CVE-2023-5172, CVE-2023-5175, CVE-2023-5176) Ronald Crane discovered that Firefox did not properly manage memory when non-HTTPS Alternate Services (network.http.altsvc.oe) is enabled. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-5173) Clément Lecigne discovered that Firefox did not properly manage memory when handling VP8 media stream. An attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-5217) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 118.0.1+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6404-1 CVE-2023-5169, CVE-2023-5170, CVE-2023-5171, CVE-2023-5172, CVE-2023-5173, CVE-2023-5175, CVE-2023-5176, CVE-2023-5217 Package Information: https://launchpad.net/ubuntu/+source/firefox/118.0.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6369-2] libwebp vulnerability
== Ubuntu Security Notice USN-6369-2 September 28, 2023 libwebp vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS (Available with Ubuntu Pro) Summary: libwebp could be made to crash or run programs if it opened a specially crafted file. Software Description: - libwebp: Lossy compression of digital photographic images. Details: USN-6369-1 fixed a vulnerability in libwebp. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS (Available with Ubuntu Pro): libwebp60.6.1-2ubuntu0.18.04.2+esm1 libwebpdemux2 0.6.1-2ubuntu0.18.04.2+esm1 libwebpmux3 0.6.1-2ubuntu0.18.04.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6369-2 https://ubuntu.com/security/notices/USN-6369-1 CVE-2023-4863 signature.asc Description: PGP signature
[USN-6368-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6368-1 September 14, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4581, CVE-2023-4584) It was discovered that Thunderbird did not properly manage memory when handling WebP images. If a user were tricked into opening a malicious WebP image file, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code. (CVE-2023-4863) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: thunderbird 1:102.15.1+build1-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:102.15.1+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:102.15.1+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6368-1 CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4581, CVE-2023-4584, CVE-2023-4863 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6367-1] Firefox vulnerability
== Ubuntu Security Notice USN-6367-1 September 14, 2023 firefox vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Firefox could be made to crash or run programs if it opened a malicious website. Software Description: - firefox: Mozilla Open Source web browser Details: It was discovered that Firefox did not properly manage memory when handling WebP images. If a user were tricked into opening a webpage containing malicious WebP image file, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code. (CVE-2023-4863) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 117.0.1+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6367-1 CVE-2023-4863 Package Information: https://launchpad.net/ubuntu/+source/firefox/117.0.1+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6333-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-6333-1 September 04, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Junsung Lee discovered that Thunderbird did not properly validate the text direction override unicode character in filenames. An attacker could potentially exploits this issue by spoofing file extension while attaching a file in emails. (CVE-2023-3417) Max Vlasov discovered that Thunderbird Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy. (CVE-2023-4045) Alexander Guryanov discovered that Thunderbird did not properly update the value of a global variable in WASM JIT analysis in some circumstances. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-4046) Mark Brand discovered that Thunderbird did not properly validate the size of an untrusted input stream. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-4050) Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4055, CVE-2023-4056) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: thunderbird 1:102.15.0+build1-0ubuntu0.23.04.1 Ubuntu 22.04 LTS: thunderbird 1:102.15.0+build1-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:102.15.0+build1-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6333-1 CVE-2023-3417, CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4055, CVE-2023-4056 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.0+build1-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-6320-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-6320-1 August 30, 2023 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4578, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585) Lukas Bernhard discovered that Firefox did not properly manage memory when the "UpdateRegExpStatics" attempted to access "initialStringHeap". An attacker could potentially exploit this issue to cause a denial of service. (CVE-2023-4577) Malte Jürgens discovered that Firefox did not properly handle search queries if the search query itself was a well formed URL. An attacker could potentially exploit this issue to perform spoofing attacks. (CVE-2023-4579) Harveer Singh discovered that Firefox did not properly handle push notifications stored on disk in private browsing mode. An attacker could potentially exploits this issue to access sensitive information. (CVE-2023-4580) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 117.0+build2-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6320-1 CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4577, CVE-2023-4578, CVE-2023-4579, CVE-2023-4580, CVE-2023-4581, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585 Package Information: https://launchpad.net/ubuntu/+source/firefox/117.0+build2-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-5928-1] systemd vulnerabilities
== Ubuntu Security Notice USN-5928-1 March 07, 2023 systemd vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in systemd. Software Description: - systemd: system and service manager Details: It was discovered that systemd did not properly validate the time and accuracy values provided to the format_timespan() function. An attacker could possibly use this issue to cause a buffer overrun, leading to a denial of service attack. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3821) It was discovered that systemd did not properly manage the fs.suid_dumpable kernel configurations. A local attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-4415) It was discovered that systemd did not properly manage a crash with long backtrace data. A local attacker could possibly use this issue to cause a deadlock, leading to a denial of service attack. This issue only affected Ubuntu 22.10. (CVE-2022-45873) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: systemd 251.4-1ubuntu7.1 Ubuntu 22.04 LTS: systemd 249.11-0ubuntu3.7 Ubuntu 20.04 LTS: systemd 245.4-4ubuntu3.20 Ubuntu 18.04 LTS: systemd 237-3ubuntu10.57 Ubuntu 16.04 ESM: systemd 229-4ubuntu21.31+esm3 Ubuntu 14.04 ESM: systemd 204-5ubuntu20.31+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5928-1 CVE-2022-3821, CVE-2022-4415, CVE-2022-45873 Package Information: https://launchpad.net/ubuntu/+source/systemd/251.4-1ubuntu7.1 https://launchpad.net/ubuntu/+source/systemd/249.11-0ubuntu3.7 https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.20 https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.57 signature.asc Description: PGP signature
[USN-5880-2] Firefox regressions
== Ubuntu Security Notice USN-5880-2 March 01, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-5880-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-5880-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Christian Holler discovered that Firefox did not properly manage memory when using PKCS 12 Safe Bag attributes. An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes. (CVE-2023-0767) Johan Carlsson discovered that Firefox did not properly manage child iframe's unredacted URI when using Content-Security-Policy-Report-Only header. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-25728) Vitor Torres discovered that Firefox did not properly manage permissions of extensions interaction via ExpandedPrincipals. An attacker could potentially exploits this issue to download malicious files or execute arbitrary code. (CVE-2023-25729) Irvan Kurniawan discovered that Firefox did not properly validate background script invoking requestFullscreen. An attacker could potentially exploit this issue to perform spoofing attacks. (CVE-2023-25730) Ronald Crane discovered that Firefox did not properly manage memory when using EncodeInputStream in xpcom. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25732) Samuel Grob discovered that Firefox did not properly manage memory when using wrappers wrapping a scripted proxy. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25735) Holger Fuhrmannek discovered that Firefox did not properly manage memory when using Module load requests. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25739) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-25731, CVE-2023-25733, CVE-2023-25736, CVE-2023-25737, CVE-2023-25741, CVE-2023-25742, CVE-2023-25744, CVE-2023-25745) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 110.0.1+build2-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 110.0.1+build2-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5880-2 https://ubuntu.com/security/notices/USN-5880-1 https://launchpad.net/bugs/2008861 Package Information: https://launchpad.net/ubuntu/+source/firefox/110.0.1+build2-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/110.0.1+build2-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5739-2] MariaDB regression
== Ubuntu Security Notice USN-5739-2 February 22, 2023 mariadb-10.3, mariadb-10.6 regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: USN-5739-1 caused a regression. Software Description: - mariadb-10.6: MariaDB database - mariadb-10.3: MariaDB database Details: USN-5739-1 fixed vulnerabilities in MariaDB. It caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: MariaDB has been updated to 10.3.38 in Ubuntu 20.04 LTS and to 10.6.12 in Ubuntu 22.04 LTS and Ubuntu 22.10. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: mariadb-server 1:10.6.12-0ubuntu0.22.10.1 Ubuntu 22.04 LTS: mariadb-server 1:10.6.12-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: mariadb-server 1:10.3.38-0ubuntu0.20.04.1 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5739-2 https://ubuntu.com/security/notices/USN-5739-1 https://launchpad.net/bugs/2006882 Package Information: https://launchpad.net/ubuntu/+source/mariadb-10.6/1:10.6.12-0ubuntu0.22.10.1 https://launchpad.net/ubuntu/+source/mariadb-10.6/1:10.6.12-0ubuntu0.22.04.1 https://launchpad.net/ubuntu/+source/mariadb-10.3/1:10.3.38-0ubuntu0.20.04.1 signature.asc Description: PGP signature
[USN-5880-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-5880-1 February 20, 2023 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Christian Holler discovered that Firefox did not properly manage memory when using PKCS 12 Safe Bag attributes. An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes. (CVE-2023-0767) Johan Carlsson discovered that Firefox did not properly manage child iframe's unredacted URI when using Content-Security-Policy-Report-Only header. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-25728) Vitor Torres discovered that Firefox did not properly manage permissions of extensions interaction via ExpandedPrincipals. An attacker could potentially exploits this issue to download malicious files or execute arbitrary code. (CVE-2023-25729) Irvan Kurniawan discovered that Firefox did not properly validate background script invoking requestFullscreen. An attacker could potentially exploit this issue to perform spoofing attacks. (CVE-2023-25730) Ronald Crane discovered that Firefox did not properly manage memory when using EncodeInputStream in xpcom. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25732) Samuel Grob discovered that Firefox did not properly manage memory when using wrappers wrapping a scripted proxy. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25735) Holger Fuhrmannek discovered that Firefox did not properly manage memory when using Module load requests. An attacker could potentially exploits this issue to cause a denial of service. (CVE-2023-25739) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-25731, CVE-2023-25733, CVE-2023-25736, CVE-2023-25737, CVE-2023-25741, CVE-2023-25742, CVE-2023-25744, CVE-2023-25745) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 110.0+build3-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 110.0+build3-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5880-1 CVE-2023-0767, CVE-2023-25728, CVE-2023-25729, CVE-2023-25730, CVE-2023-25731, CVE-2023-25732, CVE-2023-25733, CVE-2023-25735, CVE-2023-25736, CVE-2023-25737, CVE-2023-25739, CVE-2023-25741, CVE-2023-25742, CVE-2023-25744, CVE-2023-25745 Package Information: https://launchpad.net/ubuntu/+source/firefox/110.0+build3-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/110.0+build3-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5824-1] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-5824-1 February 06, 2023 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-45410, CVE-2022-45411, CVE-2022-45418, CVE-2022-45420, CVE-2022-45421, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881, CVE-2022-46882, CVE-2023-23605) Armin Ebert discovered that Thunderbird did not properly manage memory while resolving file symlink. If a user were tricked into opening a specially crafted weblink, an attacker could potentially exploit these to cause a denial of service. (CVE-2022-45412) Sarah Jamie Lewis discovered that Thunderbird did not properly manage network request while handling HTML emails with certain tags. If a user were tricked into opening a specially HTML email, an attacker could potentially exploit these issue and load remote content regardless of a configuration to block remote content. (CVE-2022-45414) Erik Kraft, Martin Schwarzl, and Andrew McCreight discovered that Thunderbird incorrectly handled keyboard events. An attacker could possibly use this issue to perform a timing side-channel attack and possibly figure out which keys are being pressed. (CVE-2022-45416) It was discovered that Thunderbird was using an out-of-date libusrsctp library. An attacker could possibly use this library to perform a reentrancy issue on Thunderbird. (CVE-2022-46871) Nika Layzell discovered that Thunderbird was not performing a check on paste received from cross-processes. An attacker could potentially exploit this to obtain sensitive information. (CVE-2022-46872) Matthias Zoellner discovered that Thunderbird was not keeping the filename ending intact when using the drag-and-drop event. An attacker could possibly use this issue to add a file with a malicious extension, leading to execute arbitrary code. (CVE-2022-46874) Hafiizh discovered that Thunderbird was not properly handling fullscreen notifications when the window goes into fullscreen mode. An attacker could possibly use this issue to spoof the user and obtain sensitive information. (CVE-2022-46877) Tom Schuster discovered that Thunderbird was not performing a validation check on GTK drag data. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-23598) Vadim discovered that Thunderbird was not properly sanitizing a curl command output when copying a network request from the developer tools panel. An attacker could potentially exploits this to hide and execute arbitrary commands. (CVE-2023-23599) Luan Herrera discovered that Thunderbird was not stopping navigation when dragging a URL from a cross-origin iframe into the same tab. An attacker potentially exploits this to spoof the user. (CVE-2023-23601) Dave Vandyke discovered that Thunderbird did not properly implement CSP policy when creating a WebSocket in a WebWorker. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2023-23602) Dan Veditz discovered that Thunderbird did not properly implement CSP policy on regular expression when using console.log. An attacker potentially exploits this to exfiltrate data. (CVE-2023-23603) It was discovered that Thunderbird did not properly check the Certificate OCSP revocation status when verifying S/Mime signatures. An attacker could possibly use this issue to bypass signature validation check by sending email signed with a revoked certificate. (CVE-2023-0430) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: thunderbird 1:102.7.1+build2-0ubuntu0.22.10.1 Ubuntu 22.04 LTS: thunderbird 1:102.7.1+build2-0ubuntu0.22.04.1 Ubuntu 20.04 LTS: thunderbird 1:102.7.1+build2-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: thunderbird 1:102.7.1+build2-0ubuntu0.18.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5824-1 CVE-2022-45403, CVE-2022-45404, CVE-2022-45405, CVE-2022-45406, CVE-2022-45408, CVE-2022-45409, CVE-2022-4
[USN-5825-2] PAM regressions
== Ubuntu Security Notice USN-5825-2 February 06, 2023 pam regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: USN-5825-1 caused some minor regressions in PAM. Software Description: - pam: Pluggable Authentication Modules Details: USN-5825-1 fixed vulnerabilities in PAM. Unfortunately that update was incomplete and could introduce a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PAM did not correctly restrict login from an IP address that is not resolvable via DNS. An attacker could possibly use this issue to bypass authentication. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libpam-modules 1.5.2-2ubuntu1.3 Ubuntu 22.04 LTS: libpam-modules 1.4.0-11ubuntu2.3 Ubuntu 20.04 LTS: libpam-modules 1.3.1-5ubuntu4.6 Ubuntu 18.04 LTS: libpam-modules 1.1.8-3.6ubuntu2.18.04.6 Ubuntu 16.04 ESM: libpam-modules 1.1.8-3.2ubuntu2.3+esm4 Ubuntu 14.04 ESM: libpam-modules 1.1.8-1ubuntu2.2+esm3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5825-2 https://ubuntu.com/security/notices/USN-5825-1 CVE-2022-28321, https://launchpad.net/bugs/2006073 Package Information: https://launchpad.net/ubuntu/+source/pam/1.5.2-2ubuntu1.3 https://launchpad.net/ubuntu/+source/pam/1.4.0-11ubuntu2.3 https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu4.6 https://launchpad.net/ubuntu/+source/pam/1.1.8-3.6ubuntu2.18.04.6 signature.asc Description: PGP signature
[USN-5816-2] Firefox regressions
== Ubuntu Security Notice USN-5816-2 February 06, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-5816-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-5816-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Niklas Baumstark discovered that a compromised web child process of Firefox could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-23597) Tom Schuster discovered that Firefox was not performing a validation check on GTK drag data. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-23598) Vadim discovered that Firefox was not properly sanitizing a curl command output when copying a network request from the developer tools panel. An attacker could potentially exploits this to hide and execute arbitrary commands. (CVE-2023-23599) Luan Herrera discovered that Firefox was not stopping navigation when dragging a URL from a cross-origin iframe into the same tab. An attacker potentially exploits this to spoof the user. (CVE-2023-23601) Dave Vandyke discovered that Firefox did not properly implement CSP policy when creating a WebSocket in a WebWorker. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2023-23602) Dan Veditz discovered that Firefox did not properly implement CSP policy on regular expression when using console.log. An attacker potentially exploits this to exfiltrate data from the browser. (CVE-2023-23603) Nika Layzell discovered that Firefox was not performing a validation check when parsing a non-system html document via DOMParser::ParseFromSafeString. An attacker potentially exploits this to bypass web security checks. (CVE-2023-23604) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-23605, CVE-2023-23606) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 109.0.1+build1-0ubuntu0.20.04.2 Ubuntu 18.04 LTS: firefox 109.0.1+build1-0ubuntu0.18.04.2 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5816-2 https://ubuntu.com/security/notices/USN-5816-1 https://launchpad.net/bugs/2006075 Package Information: https://launchpad.net/ubuntu/+source/firefox/109.0.1+build1-0ubuntu0.20.04.2 https://launchpad.net/ubuntu/+source/firefox/109.0.1+build1-0ubuntu0.18.04.2 signature.asc Description: PGP signature
[USN-5838-1] AdvanceCOMP vulnerabilities
== Ubuntu Security Notice USN-5838-1 February 01, 2023 advancecomp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in AdvanceCOMP. Software Description: - advancecomp: collection of recompression utilities Details: It was discovered that AdvanceCOMP did not properly manage memory while performing read operations on MNG file. If a user were tricked into opening a specially crafted MNG file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service. (CVE-2022-35014, CVE-2022-35017, CVE-2022-35018, CVE-2022-35019, CVE-2022-35020) It was discovered that AdvanceCOMP did not properly manage memory while performing read operations on ZIP file. If a user were tricked into opening a specially crafted ZIP file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service. (CVE-2022-35015, CVE-2022-35016) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: advancecomp 2.3-1ubuntu0.22.10.1 Ubuntu 22.04 LTS: advancecomp 2.1-2.1ubuntu2.1 Ubuntu 20.04 LTS: advancecomp 2.1-2.1ubuntu0.20.04.1 Ubuntu 18.04 LTS: advancecomp 2.1-1ubuntu0.18.04.3 Ubuntu 16.04 ESM: advancecomp 1.20-1ubuntu0.2+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5838-1 CVE-2022-35014, CVE-2022-35015, CVE-2022-35016, CVE-2022-35017, CVE-2022-35018, CVE-2022-35019, CVE-2022-35020 Package Information: https://launchpad.net/ubuntu/+source/advancecomp/2.3-1ubuntu0.22.10.1 https://launchpad.net/ubuntu/+source/advancecomp/2.1-2.1ubuntu2.1 https://launchpad.net/ubuntu/+source/advancecomp/2.1-2.1ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/advancecomp/2.1-1ubuntu0.18.04.3 signature.asc Description: PGP signature
[USN-5825-1] PAM vulnerability
== Ubuntu Security Notice USN-5825-1 January 25, 2023 pam vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: PAM would allow unintended access to the machine over network. Software Description: - pam: Pluggable Authentication Modules Details: It was discovered that PAM did not correctly restrict login from an IP address that is not resolvable via DNS. An attacker could possibly use this issue to bypass authentication. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libpam-modules 1.5.2-2ubuntu1.1 Ubuntu 22.04 LTS: libpam-modules 1.4.0-11ubuntu2.1 Ubuntu 20.04 LTS: libpam-modules 1.3.1-5ubuntu4.4 Ubuntu 18.04 LTS: libpam-modules 1.1.8-3.6ubuntu2.18.04.4 Ubuntu 16.04 ESM: libpam-modules 1.1.8-3.2ubuntu2.3+esm2 Ubuntu 14.04 ESM: libpam-modules 1.1.8-1ubuntu2.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5825-1 CVE-2022-28321 Package Information: https://launchpad.net/ubuntu/+source/pam/1.5.2-2ubuntu1.1 https://launchpad.net/ubuntu/+source/pam/1.4.0-11ubuntu2.1 https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu4.4 https://launchpad.net/ubuntu/+source/pam/1.1.8-3.6ubuntu2.18.04.4 signature.asc Description: PGP signature
[USN-5816-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-5816-1 January 23, 2023 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Niklas Baumstark discovered that a compromised web child process of Firefox could disable web security opening restrictions, leading to a new child process being spawned within the file:// context. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-23597) Tom Schuster discovered that Firefox was not performing a validation check on GTK drag data. An attacker could potentially exploits this to obtain sensitive information. (CVE-2023-23598) Vadim discovered that Firefox was not properly sanitizing a curl command output when copying a network request from the developer tools panel. An attacker could potentially exploits this to hide and execute arbitrary commands. (CVE-2023-23599) Luan Herrera discovered that Firefox was not stopping navigation when dragging a URL from a cross-origin iframe into the same tab. An attacker potentially exploits this to spoof the user. (CVE-2023-23601) Dave Vandyke discovered that Firefox did not properly implement CSP policy when creating a WebSocket in a WebWorker. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2023-23602) Dan Veditz discovered that Firefox did not properly implement CSP policy on regular expression when using console.log. An attacker potentially exploits this to exfiltrate data from the browser. (CVE-2023-23603) Nika Layzell discovered that Firefox was not performing a validation check when parsing a non-system html document via DOMParser::ParseFromSafeString. An attacker potentially exploits this to bypass web security checks. (CVE-2023-23604) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-23605, CVE-2023-23606) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 109.0+build2-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 109.0+build2-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5816-1 CVE-2023-23597, CVE-2023-23598, CVE-2023-23599, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23604, CVE-2023-23605, CVE-2023-23606 Package Information: https://launchpad.net/ubuntu/+source/firefox/109.0+build2-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/109.0+build2-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5805-1] Apache Maven vulnerability
== Ubuntu Security Notice USN-5805-1 January 16, 2023 maven vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 Summary: Apache Maven could be made to crash or run programs if it received specially crafted input. Software Description: - maven: Java software project management and comprehension tool Details: It was discovered that Apache Maven followed repositories that are defined in a dependency’s Project Object Model (pom) even if the repositories weren't encryptedh (http protocol). An attacker could use this vulnerability to take over a repository, execute arbitrary code or cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libmaven3-core-java 3.6.3-5ubuntu1.1 maven 3.6.3-5ubuntu1.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5805-1 CVE-2021-26291, https://launchpad.net/bugs/1999254 Package Information: https://launchpad.net/ubuntu/+source/maven/3.6.3-5ubuntu1.1 signature.asc Description: PGP signature
[USN-5782-3] Firefox regressions
== Ubuntu Security Notice USN-5782-3 January 10, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-5782-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-5782-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Firefox was using an out-of-date libusrsctp library. An attacker could possibly use this library to perform a reentrancy issue on Firefox. (CVE-2022-46871) Nika Layzell discovered that Firefox was not performing a check on paste received from cross-processes. An attacker could potentially exploit this to obtain sensitive information. (CVE-2022-46872) Pete Freitag discovered that Firefox did not implement the unsafe-hashes CSP directive. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2022-46873) Matthias Zoellner discovered that Firefox was not keeping the filename ending intact when using the drag-and-drop event. An attacker could possibly use this issue to add a file with a malicious extension, leading to execute arbitrary code. (CVE-2022-46874) Hafiizh discovered that Firefox was not handling fullscreen notifications when the browser window goes into fullscreen mode. An attacker could possibly use this issue to spoof the user and obtain sensitive information. (CVE-2022-46877) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2022-46878, CVE-2022-46879) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 108.0.2+build1-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 108.0.2+build1-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5782-3 https://ubuntu.com/security/notices/USN-5782-1 https://launchpad.net/bugs/2002377 Package Information: https://launchpad.net/ubuntu/+source/firefox/108.0.2+build1-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/108.0.2+build1-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5782-2] Firefox regressions
== Ubuntu Security Notice USN-5782-2 January 05, 2023 firefox regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-5782-1 caused some minor regressions in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: USN-5782-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Firefox was using an out-of-date libusrsctp library. An attacker could possibly use this library to perform a reentrancy issue on Firefox. (CVE-2022-46871) Nika Layzell discovered that Firefox was not performing a check on paste received from cross-processes. An attacker could potentially exploit this to obtain sensitive information. (CVE-2022-46872) Pete Freitag discovered that Firefox did not implement the unsafe-hashes CSP directive. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2022-46873) Matthias Zoellner discovered that Firefox was not keeping the filename ending intact when using the drag-and-drop event. An attacker could possibly use this issue to add a file with a malicious extension, leading to execute arbitrary code. (CVE-2022-46874) Hafiizh discovered that Firefox was not handling fullscreen notifications when the browser window goes into fullscreen mode. An attacker could possibly use this issue to spoof the user and obtain sensitive information. (CVE-2022-46877) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2022-46878, CVE-2022-46879) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 108.0.1+build1-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 108.0.1+build1-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5782-2 https://ubuntu.com/security/notices/USN-5782-1 https://launchpad.net/bugs/2001921 Package Information: https://launchpad.net/ubuntu/+source/firefox/108.0.1+build1-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/108.0.1+build1-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5785-1] FreeRADIUS vulnerabilities
== Ubuntu Security Notice USN-5785-1 January 04, 2023 freeradius vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in FreeRADIUS. Software Description: - freeradius: high-performance and highly configurable RADIUS server Details: It was discovered that FreeRADIUS incorrectly handled multiple EAP-pwd handshakes. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-17185) Shane Guan discovered that FreeRADIUS incorrectly handled memory when checking unknown SIM option sent by EAP-SIM supplicant. An attacker could possibly use this issue to cause a denial of service on the server. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-41860) It was discovered that FreeRADIUS incorrectly handled memory when processing certain abinary attributes. An attacker could possibly use this issue to cause a denial of service on the server. (CVE-2022-41861) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: freeradius 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 Ubuntu 20.04 LTS: freeradius 3.0.20+dfsg-3ubuntu0.2 Ubuntu 18.04 LTS: freeradius 3.0.16+dfsg-1ubuntu3.2 Ubuntu 16.04 ESM: freeradius 2.2.8+dfsg-0.1ubuntu0.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5785-1 CVE-2019-17185, CVE-2022-41860, CVE-2022-41861 Package Information: https://launchpad.net/ubuntu/+source/freeradius/3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 https://launchpad.net/ubuntu/+source/freeradius/3.0.20+dfsg-3ubuntu0.2 https://launchpad.net/ubuntu/+source/freeradius/3.0.16+dfsg-1ubuntu3.2 signature.asc Description: PGP signature
[USN-5782-1] Firefox vulnerabilities
== Ubuntu Security Notice USN-5782-1 December 15, 2022 firefox vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: It was discovered that Firefox was using an out-of-date libusrsctp library. An attacker could possibly use this library to perform a reentrancy issue on Firefox. (CVE-2022-46871) Nika Layzell discovered that Firefox was not performing a check on paste received from cross-processes. An attacker could potentially exploit this to obtain sensitive information. (CVE-2022-46872) Pete Freitag discovered that Firefox did not implement the unsafe-hashes CSP directive. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. (CVE-2022-46873) Matthias Zoellner discovered that Firefox was not keeping the filename ending intact when using the drag-and-drop event. An attacker could possibly use this issue to add a file with a malicious extension, leading to execute arbitrary code. (CVE-2022-46874) Hafiizh discovered that Firefox was not handling fullscreen notifications when the browser window goes into fullscreen mode. An attacker could possibly use this issue to spoof the user and obtain sensitive information. (CVE-2022-46877) Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2022-46878, CVE-2022-46879) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 108.0+build2-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 108.0+build2-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5782-1 CVE-2022-46871, CVE-2022-46872, CVE-2022-46873, CVE-2022-46874, CVE-2022-46877, CVE-2022-46878, CVE-2022-46879 Package Information: https://launchpad.net/ubuntu/+source/firefox/108.0+build2-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/108.0+build2-0ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5772-1] QEMU vulnerabilities
== Ubuntu Security Notice USN-5772-1 December 12, 2022 qemu vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in QEMU. Software Description: - qemu: Machine emulator and virtualizer Details: It was discovered that QEMU incorrectly handled bulk transfers from SPICE clients. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2021-3682) It was discovered that QEMU did not properly manage memory when it transfers the USB packets. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2021-3750) It was discovered that the QEMU SCSI device emulation incorrectly handled certain MODE SELECT commands. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2021-3930) It was discovered that QEMU did not properly manage memory when it processing repeated messages to cancel the current SCSI request. A malicious privileged guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2022-0216) It was discovered that QEMU did not properly manage memory when it using Tulip device emulation. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2022-2962) It was discovered that QEMU did not properly manage memory when processing ClientCutText messages. A attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2022-3165) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: qemu-system 1:7.0+dfsg-7ubuntu2.1 qemu-system-arm 1:7.0+dfsg-7ubuntu2.1 qemu-system-mips1:7.0+dfsg-7ubuntu2.1 qemu-system-misc1:7.0+dfsg-7ubuntu2.1 qemu-system-ppc 1:7.0+dfsg-7ubuntu2.1 qemu-system-s390x 1:7.0+dfsg-7ubuntu2.1 qemu-system-sparc 1:7.0+dfsg-7ubuntu2.1 qemu-system-x86 1:7.0+dfsg-7ubuntu2.1 qemu-system-x86-xen 1:7.0+dfsg-7ubuntu2.1 Ubuntu 22.04 LTS: qemu1:6.2+dfsg-2ubuntu6.6 qemu-system 1:6.2+dfsg-2ubuntu6.6 qemu-system-arm 1:6.2+dfsg-2ubuntu6.6 qemu-system-mips1:6.2+dfsg-2ubuntu6.6 qemu-system-misc1:6.2+dfsg-2ubuntu6.6 qemu-system-ppc 1:6.2+dfsg-2ubuntu6.6 qemu-system-s390x 1:6.2+dfsg-2ubuntu6.6 qemu-system-sparc 1:6.2+dfsg-2ubuntu6.6 qemu-system-x86 1:6.2+dfsg-2ubuntu6.6 qemu-system-x86-microvm 1:6.2+dfsg-2ubuntu6.6 qemu-system-x86-xen 1:6.2+dfsg-2ubuntu6.6 Ubuntu 20.04 LTS: qemu1:4.2-3ubuntu6.24 qemu-system 1:4.2-3ubuntu6.24 qemu-system-arm 1:4.2-3ubuntu6.24 qemu-system-mips1:4.2-3ubuntu6.24 qemu-system-misc1:4.2-3ubuntu6.24 qemu-system-ppc 1:4.2-3ubuntu6.24 qemu-system-s390x 1:4.2-3ubuntu6.24 qemu-system-sparc 1:4.2-3ubuntu6.24 qemu-system-x86 1:4.2-3ubuntu6.24 qemu-system-x86-microvm 1:4.2-3ubuntu6.24 qemu-system-x86-xen 1:4.2-3ubuntu6.24 Ubuntu 18.04 LTS: qemu1:2.11+dfsg-1ubuntu7.41 qemu-system 1:2.11+dfsg-1ubuntu7.41 qemu-system-arm 1:2.11+dfsg-1ubuntu7.41 qemu-system-mips1:2.11+dfsg-1ubuntu7.41 qemu-system-misc1:2.11+dfsg-1ubuntu7.41 qemu-system-ppc 1:2.11+dfsg-1ubuntu7.41 qemu-system-s390x 1:2.11+dfsg-1ubuntu7.41 qemu-system-sparc 1:2.11+dfsg-1ubuntu7.41 qemu-system-x86 1:2.11+dfsg-1ubuntu7.41 Ubuntu 16.04 ESM: qemu1:2.5+dfsg-5ubuntu10.51+esm1 qemu-system 1:2.5+dfsg-5ubuntu10.51+esm1 qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.51+esm1 qemu-system-arm 1:2.5+dfsg-5ubuntu10.51+esm1 qemu-system-mips1:2.5+dfsg-5ubuntu10.51+esm1 qemu-
[USN-5768-1] GNU C Library vulnerabilities
== Ubuntu Security Notice USN-5768-1 December 08, 2022 glibc vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in GNU C Library. Software Description: - glibc: GNU C Library Details: Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could possibly use this issue to cause the GNU C Library to hang or crash, resulting in a denial of service. (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618) It was discovered that the GNU C Library did not properly handled DNS responses when ENDS0 is enabled. An attacker could possibly use this issue to cause fragmentation-based attacks. (CVE-2017-12132) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libc6 2.23-0ubuntu11.3+esm3 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5768-1 CVE-2016-10228, CVE-2017-12132, CVE-2019-25013, CVE-2020-27618 signature.asc Description: PGP signature
[USN-5763-1] NumPy vulnerabilities
== Ubuntu Security Notice USN-5763-1 December 07, 2022 numpy vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in NumPy. Software Description: - numpy: scientific computing package with Python Details: It was discovered that NumPy did not properly manage memory when specifying arrays of large dimensions. If a user were tricked into running malicious Python file, an attacker could cause a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-33430) It was discovered that NumPy did not properly perform string comparison operations under certain circumstances. An attacker could possibly use this issue to cause NumPy to crash, resulting in a denial of service. (CVE-2021-34141) It was discovered that NumPy did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause NumPy to crash, resulting in a denial of service. (CVE-2021-41495, CVE-2021-41496) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: python3-numpy 1:1.21.5-1ubuntu22.10.1 Ubuntu 22.04 LTS: python3-numpy 1:1.21.5-1ubuntu22.04.1 Ubuntu 20.04 LTS: python3-numpy 1:1.17.4-5ubuntu3.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5763-1 CVE-2021-33430, CVE-2021-34141, CVE-2021-41495, CVE-2021-41496 Package Information: https://launchpad.net/ubuntu/+source/numpy/1:1.21.5-1ubuntu22.10.1 https://launchpad.net/ubuntu/+source/numpy/1:1.21.5-1ubuntu22.04.1 https://launchpad.net/ubuntu/+source/numpy/1:1.17.4-5ubuntu3.1 signature.asc Description: PGP signature
[USN-5759-1] LibBPF vulnerabilities
== Ubuntu Security Notice USN-5759-1 December 05, 2022 libbpf vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS Summary: Several security issues were fixed in LibBPF. Software Description: - libbpf: eBPF helper library (development files) Details: It was discovered that LibBPF incorrectly handled certain memory operations under certain circumstances. An attacker could possibly use this issue to cause LibBPF to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.10. (CVE-2021-45940, CVE-2021-45941, CVE-2022-3533) It was discovered that LibBPF incorrectly handled certain memory operations under certain circumstances. An attacker could possibly use this issue to cause LibBPF to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-3534, CVE-2022-3606) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libbpf-dev 1:0.8.0-1ubuntu22.10.1 Ubuntu 22.04 LTS: libbpf-dev 1:0.5.0-1ubuntu22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5759-1 CVE-2021-45940, CVE-2021-45941, CVE-2022-3533, CVE-2022-3534, CVE-2022-3606 Package Information: https://launchpad.net/ubuntu/+source/libbpf/0.8.0-1ubuntu22.10.1 https://launchpad.net/ubuntu/+source/libbpf/0.5.0-1ubuntu22.04.1 signature.asc Description: PGP signature
[USN-5747-1] Bind vulnerabilities
== Ubuntu Security Notice USN-5747-1 November 29, 2022 bind9 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: It was discovered that Bind incorrectly handled large query name when using lightweight resolver protocol. A remote attacker could use this issue to consume resources, leading to a denial of service. (CVE-2016-2775) It was discovered that Bind incorrectly handled large zone data size received via AXFR response. A remote authenticated attacker could use this issue to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-6170) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: bind9 1:9.10.3.dfsg.P4-8ubuntu1.19+esm5 lwresd 1:9.10.3.dfsg.P4-8ubuntu1.19+esm5 Ubuntu 14.04 ESM: bind9 1:9.9.5.dfsg-3ubuntu0.19+esm9 lwresd 1:9.9.5.dfsg-3ubuntu0.19+esm9 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5747-1 CVE-2016-2775, CVE-2016-6170 signature.asc Description: PGP signature
[USN-5744-1] libICE vulnerability
== Ubuntu Security Notice USN-5744-1 November 28, 2022 libice vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Weak session cookies generated using libICE could allow sensitive information to be exposed. Software Description: - libice: X11 Inter-Client Exchange library (development headers) Details: It was discovered that libICE was using a weak mechanism to generate the session cookies. A local attacker could possibly use this issue to perform a privilege escalation attack. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: libice-dev 2:1.0.9-2ubuntu0.18.04.1 libice6 2:1.0.9-2ubuntu0.18.04.1 Ubuntu 16.04 ESM: libice-dev 2:1.0.9-1ubuntu0.16.04.1+esm1 libice6 2:1.0.9-1ubuntu0.16.04.1+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5744-1 CVE-2017-2626 Package Information: https://launchpad.net/ubuntu/+source/libice/2:1.0.9-2ubuntu0.18.04.1 signature.asc Description: PGP signature
[USN-5736-1] ImageMagick vulnerabilities
== Ubuntu Security Notice USN-5736-1 November 24, 2022 imagemagick vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in ImageMagick. Software Description: - imagemagick: Image manipulation programs and library Details: It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2021-20224) Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2021-20241) Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2021-20243) It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20244) It was discovered that ImageMagick could be made to divide by zero when processing crafted file. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20245) It was discovered that ImageMagick incorrectly handled certain values when performing resampling operations. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20246) It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20309) It was discovered that ImageMagick incorrectly handled certain values when processing thumbnail image data. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20312) It was discovered that ImageMagick incorrectly handled memory cleanup when performing certain cryptographic operations. Under certain conditions sensitive cryptographic information could be disclosed. This issue only affected Ubuntu 22.10. (CVE-2021-20313) It was discovered that ImageMagick did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted file using convert command, an attacker could possibly use this issue to cause ImageMagick to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-3574) It was discovered that ImageMagick did not use the correct rights when specifically excluded by a module policy. An attacker could use this issue to read and write certain restricted files. This issue only affected Ubuntu 22.10. (CVE-2021-39212) It was discovered that ImageMagick incorrectly handled certain values when processing specially crafted SVG files. By tricking a user into opening a specially crafted SVG file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-4219) It was discovered that ImageMagick did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted DICOM file, an attacker could possibly use this issue to cause ImageMagick to crash, resulting in a denial of service or leaking sensitive information. This issue only affected Ubuntu 22.10. (CVE-2022-1114) It was discovered that ImageMagick incorrectly handled memory under certain circumstances. If a user were tricked into opening a specially crafted image file, an attacker could possibly exploit this issue to cause a denial of service or other unspecified impact. This issue only affected Ubuntu 22.10. (CVE-2022-28463) It was discovered that ImageMagick incorre
[USN-5722-1] nginx vulnerabilities
== Ubuntu Security Notice USN-5722-1 November 15, 2022 nginx vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in nginx. Software Description: - nginx: small, powerful, scalable web/proxy server Details: It was discovered that nginx incorrectly handled certain memory operations in the ngx_http_mp4_module module. A local attacker could possibly use this issue with a specially crafted mp4 file to cause nginx to crash, stop responding, or access arbitrary memory. (CVE-2022-41741, CVE-2022-41742) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: nginx 1.22.0-1ubuntu1.1 nginx-common1.22.0-1ubuntu1.1 nginx-core 1.22.0-1ubuntu1.1 nginx-extras1.22.0-1ubuntu1.1 nginx-full 1.22.0-1ubuntu1.1 nginx-light 1.22.0-1ubuntu1.1 Ubuntu 22.04 LTS: nginx 1.18.0-6ubuntu14.3 nginx-common1.18.0-6ubuntu14.3 nginx-core 1.18.0-6ubuntu14.3 nginx-extras1.18.0-6ubuntu14.3 nginx-full 1.18.0-6ubuntu14.3 nginx-light 1.18.0-6ubuntu14.3 Ubuntu 20.04 LTS: nginx 1.18.0-0ubuntu1.4 nginx-common1.18.0-0ubuntu1.4 nginx-core 1.18.0-0ubuntu1.4 nginx-extras1.18.0-0ubuntu1.4 nginx-full 1.18.0-0ubuntu1.4 nginx-light 1.18.0-0ubuntu1.4 Ubuntu 18.04 LTS: nginx 1.14.0-0ubuntu1.11 nginx-common1.14.0-0ubuntu1.11 nginx-core 1.14.0-0ubuntu1.11 nginx-extras1.14.0-0ubuntu1.11 nginx-full 1.14.0-0ubuntu1.11 nginx-light 1.14.0-0ubuntu1.11 Ubuntu 16.04 ESM: nginx 1.10.3-0ubuntu0.16.04.5+esm5 nginx-common1.10.3-0ubuntu0.16.04.5+esm5 nginx-core 1.10.3-0ubuntu0.16.04.5+esm5 nginx-extras1.10.3-0ubuntu0.16.04.5+esm5 nginx-full 1.10.3-0ubuntu0.16.04.5+esm5 nginx-light 1.10.3-0ubuntu0.16.04.5+esm5 Ubuntu 14.04 ESM: nginx 1.4.6-1ubuntu3.9+esm4 nginx-common1.4.6-1ubuntu3.9+esm4 nginx-core 1.4.6-1ubuntu3.9+esm4 nginx-extras1.4.6-1ubuntu3.9+esm4 nginx-full 1.4.6-1ubuntu3.9+esm4 nginx-light 1.4.6-1ubuntu3.9+esm4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5722-1 CVE-2022-41741, CVE-2022-41742 Package Information: https://launchpad.net/ubuntu/+source/nginx/1.22.0-1ubuntu1.1 https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.3 https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.4 https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.11 signature.asc Description: PGP signature
[USN-5673-1] unzip vulnerabilities
== Ubuntu Security Notice USN-5673-1 October 13, 2022 unzip vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in unzip. Software Description: - unzip: De-archiver for .zip files Details: It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-4217) It was discovered that unzip did not properly perform bounds checking while converting wide strings to local strings. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-0529, CVE-2022-0530) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: unzip 6.0-26ubuntu3.1 Ubuntu 20.04 LTS: unzip 6.0-25ubuntu1.1 Ubuntu 18.04 LTS: unzip 6.0-21ubuntu1.2 Ubuntu 16.04 ESM: unzip 6.0-20ubuntu1.1+esm1 Ubuntu 14.04 ESM: unzip 6.0-9ubuntu1.6+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5673-1 CVE-2021-4217, CVE-2022-0529, CVE-2022-0530, https://launchpad.net/bugs/1957077 Package Information: https://launchpad.net/ubuntu/+source/unzip/6.0-26ubuntu3.1 https://launchpad.net/ubuntu/+source/unzip/6.0-25ubuntu1.1 https://launchpad.net/ubuntu/+source/unzip/6.0-21ubuntu1.2 signature.asc Description: PGP signature
[USN-5671-1] AdvanceCOMP vulnerabilities
== Ubuntu Security Notice USN-5671-1 October 12, 2022 advancecomp vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in AdvanceCOMP. Software Description: - advancecomp: collection of recompression utilities Details: It was discovered that AdvanceCOMP did not properly manage memory of function be_uint32_read() under certain circumstances. If a user were tricked into opening a specially crafted binary file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service. (CVE-2019-8379) It was discovered that AdvanceCOMP did not properly manage memory of function adv_png_unfilter_8() under certain circumstances. If a user were tricked into opening a specially crafted PNG file, a remote attacker could possibly use this issue to cause AdvanceCOMP to crash, resulting in a denial of service. (CVE-2019-8383) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: advancecomp 2.1-1ubuntu0.18.04.2 Ubuntu 16.04 ESM: advancecomp 1.20-1ubuntu0.2+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5671-1 CVE-2019-8379, CVE-2019-8383 Package Information: https://launchpad.net/ubuntu/+source/advancecomp/2.1-1ubuntu0.18.04.2 signature.asc Description: PGP signature
[USN-5613-2] Vim regression
== Ubuntu Security Notice USN-5613-2 September 19, 2022 vim regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: USN-5613-1 caused a regression in Vim. Software Description: - vim: Vi IMproved - enhanced vi editor Details: USN-5613-1 fixed vulnerabilities in Vim. Unfortunately that update failed to include binary packages for some architectures. This update fixes that regression. We apologize for the inconvenience. Original advisory details: It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-0943) It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution. (CVE-2022-1154) It was discovered that Vim was not properly performing checks on name of lambda functions. An attacker could possibly use this issue to cause a denial of service. This issue affected only Ubuntu 22.04 LTS. (CVE-2022-1420) It was discovered that Vim was incorrectly performing bounds checks when processing invalid commands with composing characters in Ex mode. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1616) It was discovered that Vim was not properly processing latin1 data when issuing Ex commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1619) It was discovered that Vim was not properly performing memory management when dealing with invalid regular expression patterns in buffers. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-1620) It was discovered that Vim was not properly processing invalid bytes when performing spell check operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1621) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: vim 2:8.1.2269-1ubuntu5.9 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5613-2 https://ubuntu.com/security/notices/USN-5613-1 CVE-2022-0943, CVE-2022-1154, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621, https://launchpad.net/bugs/1989973 Package Information: https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.9 signature.asc Description: PGP signature
[USN-5613-1] Vim vulnerabilities
== Ubuntu Security Notice USN-5613-1 September 15, 2022 vim vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Vim. Software Description: - vim: Vi IMproved - enhanced vi editor Details: It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-0943) It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution. (CVE-2022-1154) It was discovered that Vim was not properly performing checks on name of lambda functions. An attacker could possibly use this issue to cause a denial of service. This issue affected only Ubuntu 22.04 LTS. (CVE-2022-1420) It was discovered that Vim was incorrectly performing bounds checks when processing invalid commands with composing characters in Ex mode. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1616) It was discovered that Vim was not properly processing latin1 data when issuing Ex commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1619) It was discovered that Vim was not properly performing memory management when dealing with invalid regular expression patterns in buffers. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-1620) It was discovered that Vim was not properly processing invalid bytes when performing spell check operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-1621) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: vim 2:8.2.3995-1ubuntu2.1 Ubuntu 20.04 LTS: vim 2:8.1.2269-1ubuntu5.8 Ubuntu 18.04 LTS: vim 2:8.0.1453-1ubuntu1.9 Ubuntu 14.04 ESM: vim 2:7.4.052-1ubuntu3.1+esm5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5613-1 CVE-2022-0943, CVE-2022-1154, CVE-2022-1420, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1621 Package Information: https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.1 https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.8 https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.9 signature.asc Description: PGP signature
[USN-5583-2] systemd regression
== Ubuntu Security Notice USN-5583-2 September 14, 2022 systemd regression == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: USN-5583-1 caused a regression in systemd Software Description: - systemd: system and service manager Details: USN-5583-1 fixed vulnerabilities in systemd. Unfortunately this caused a regression by introducing netowrking problems for some users. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-2526) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: systemd 237-3ubuntu10.56 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5583-2 https://ubuntu.com/security/notices/USN-5583-1 https://launchpad.net/bugs/1988119 Package Information: https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.56 signature.asc Description: PGP signature
[USN-5585-1] Jupyter Notebook vulnerabilities
== Ubuntu Security Notice USN-5585-1 August 30, 2022 jupyter-notebook vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Jupyter Notebook. Software Description: - jupyter-notebook: Jupyter interactive notebook Details: It was discovered that Jupyter Notebook incorrectly handled certain notebooks. An attacker could possibly use this issue of lack of Content Security Policy in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook server. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19351) It was discovered that Jupyter Notebook incorrectly handled certain SVG documents. An attacker could possibly use this issue to perform cross-site scripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-21030) It was discovered that Jupyter Notebook incorrectly filtered certain URLs on the login page. An attacker could possibly use this issue to perform open-redirect attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-10255) It was discovered that Jupyter Notebook had an incomplete fix for CVE-2019-10255. An attacker could possibly use this issue to perform open-redirect attack using empty netloc. (CVE-2019-10856) It was discovered that Jupyter Notebook incorrectly handled the inclusion of remote pages on Jupyter server. An attacker could possibly use this issue to perform cross-site script inclusion (XSSI) attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-9644) It was discovered that Jupyter Notebook incorrectly filtered certain URLs to a notebook. An attacker could possibly use this issue to perform open-redirect attack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-26215) It was discovered that Jupyter Notebook server access logs were not protected. An attacker having access to the notebook server could possibly use this issue to get access to steal sensitive information such as auth/cookies. (CVE-2022-24758) It was discovered that Jupyter Notebook incorrectly configured hidden files on the server. An authenticated attacker could possibly use this issue to see unwanted sensitive hidden files from the server which may result in getting full access to the server. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-29238) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: jupyter-notebook6.4.8-1ubuntu0.1 python3-notebook6.4.8-1ubuntu0.1 Ubuntu 20.04 LTS: jupyter-notebook6.0.3-2ubuntu0.1 python3-notebook6.0.3-2ubuntu0.1 Ubuntu 18.04 LTS: jupyter-notebook5.2.2-1ubuntu0.1 python-notebook 5.2.2-1ubuntu0.1 python3-notebook5.2.2-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5585-1 CVE-2018-19351, CVE-2018-21030, CVE-2019-10255, CVE-2019-10856, CVE-2019-9644, CVE-2020-26215, CVE-2022-24758, CVE-2022-29238 Package Information: https://launchpad.net/ubuntu/+source/jupyter-notebook/6.4.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/jupyter-notebook/6.0.3-2ubuntu0.1 https://launchpad.net/ubuntu/+source/jupyter-notebook/5.2.2-1ubuntu0.1 signature.asc Description: PGP signature
[USN-5583-1] systemd vulnerability
== Ubuntu Security Notice USN-5583-1 August 29, 2022 systemd vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: systemd could be made to crash or run programs if it received specially crafted DNS request. Software Description: - systemd: system and service manager Details: It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-2526) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: systemd 237-3ubuntu10.54 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5583-1 CVE-2022-2526 Package Information: https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.54 signature.asc Description: PGP signature
[USN-5559-1] Moment.js vulnerabilities
== Ubuntu Security Notice USN-5559-1 August 10, 2022 node-moment vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Moment.js. Software Description: - node-moment: Work with dates in JavaScript (Node.js module) Details: It was discovered that Moment.js incorrectly handled certain input paths. An attacker could possibly use this issue to cause a loss of integrity by changing the correct path to one of their choice. (CVE-2022-24785) It was discovered that Moment.js incorrectly handled certain input. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-31129) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libjs-moment2.29.1+ds-3ubuntu0.2 node-moment 2.29.1+ds-3ubuntu0.2 Ubuntu 20.04 LTS: libjs-moment2.24.0+ds-2ubuntu0.1 node-moment 2.24.0+ds-2ubuntu0.1 Ubuntu 18.04 LTS: libjs-moment2.20.1+ds-1ubuntu0.1 node-moment 2.20.1+ds-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5559-1 CVE-2022-24785, CVE-2022-31129 Package Information: https://launchpad.net/ubuntu/+source/node-moment/2.29.1+ds-3ubuntu0.2 https://launchpad.net/ubuntu/+source/node-moment/2.24.0+ds-2ubuntu0.1 https://launchpad.net/ubuntu/+source/node-moment/2.20.1+ds-1ubuntu0.1 signature.asc Description: PGP signature
[USN-5532-1] Bottle vulnerability
== Ubuntu Security Notice USN-5532-1 July 26, 2022 python-bottle vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Bottle could be made to leak sensitive information if it received a specially crafted request. Software Description: - python-bottle: fast and simple WSGI-framework for Python Details: It was discovered that Bottle incorrectly handled errors during early request binding. An attacker could possibly use this issue to disclose sensitve information. (CVE-2022-31799) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: python3-bottle 0.12.19-1+deb11u1build0.22.04.1 Ubuntu 20.04 LTS: python3-bottle 0.12.15-2.1ubuntu0.2 Ubuntu 18.04 LTS: python-bottle 0.12.13-1ubuntu0.2 python3-bottle 0.12.13-1ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5532-1 CVE-2022-31799 Package Information: https://launchpad.net/ubuntu/+source/python-bottle/0.12.19-1+deb11u1build0.22.04.1 https://launchpad.net/ubuntu/+source/python-bottle/0.12.15-2.1ubuntu0.2 https://launchpad.net/ubuntu/+source/python-bottle/0.12.13-1ubuntu0.2 signature.asc Description: PGP signature
[USN-5527-1] Checkmk vulnerabilities
== Ubuntu Security Notice USN-5527-1 July 20, 2022 check-mk vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Checkmk. Software Description: - check-mk: general purpose monitoring plugin for retrieving data Details: It was discovered that Checkmk incorrectly handled authentication. An attacker could possibly use this issue to cause a race condition leading to information disclosure. (CVE-2017-14955) It was discovered that Checkmk incorrectly handled certain inputs. An attacker could use these cross-site scripting issues to inject arbitrary html or javascript code to obtain sensitive information including user information, session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563, CVE-2021-40906, CVE-2022-24565) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: check-mk-livestatus 1.2.8p16-1ubuntu0.2 check-mk-multisite 1.2.8p16-1ubuntu0.2 check-mk-server 1.2.8p16-1ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5527-1 CVE-2017-14955, CVE-2017-9781, CVE-2021-36563, CVE-2021-40906, CVE-2022-24565 Package Information: https://launchpad.net/ubuntu/+source/check-mk/1.2.8p16-1ubuntu0.2 signature.asc Description: PGP signature
