[USN-6909-1] Bind vulnerabilities
[USN-6910-1] Apache ActiveMQ vulnerabilities
[USN-6530-2] HAProxy vulnerability
[USN-6907-1] Squid vulnerability
[USN-6911-1] Nova vulnerability
[USN-6908-1] Tomcat vulnerabilities
[USN-6909-1] Bind vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6909-1
July 23, 2024
bind9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Bind.
Software Description:
- bind9: Internet Domain Name Server
Details:
It was discovered that Bind incorrectly handled a flood of DNS messages
over TCP. A remote attacker could possibly use this issue to cause Bind to
become unstable, resulting in a denial of service. (CVE-2024-0760)
Toshifumi Sakaguchi discovered that Bind incorrectly handled having a very
large number of RRs existing at the same time. A remote attacker could
possibly use this issue to cause Bind to consume resources, leading to a
denial of service. (CVE-2024-1737)
It was discovered that Bind incorrectly handled a large number of SIG(0)
signed requests. A remote attacker could possibly use this issue to cause
Bind to consume resources, leading to a denial of service. (CVE-2024-1975)
Daniel Stränger discovered that Bind incorrectly handled serving both
stable cache data and authoritative zone content. A remote attacker could
possibly use this issue to cause Bind to crash, resulting in a denial of
service. (CVE-2024-4076)
On Ubuntu 20.04 LTS, Bind has been updated from 9.16 to 9.18. In addition
to security fixes, the updated packages contain bug fixes, new features,
and possibly incompatible changes.
Please see the following for more information:
https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
bind9 1:9.18.28-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
bind9 1:9.18.28-0ubuntu0.22.04.1
Ubuntu 20.04 LTS
bind9 1:9.18.28-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-6909-1
CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076
Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.18.28-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/bind9/1:9.18.28-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/bind9/1:9.18.28-0ubuntu0.20.04.1
[USN-6910-1] Apache ActiveMQ vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6910-1
July 23, 2024
activemq vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Apache ActiveMQ.
Software Description:
- activemq: Java message broker - server
Details:
Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain
commands. A remote attacker could possibly use this issue to terminate
the program, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2015-7559)
Peter Stöckli discovered that Apache ActiveMQ incorrectly handled
hostname verification. A remote attacker could possibly use this issue
to perform a person-in-the-middle attack. This issue only affected Ubuntu
16.04 LTS. (CVE-2018-11775)
Jonathan Gallimore and Colm Ó hÉigeartaigh discovered that Apache
ActiveMQ incorrectly handled authentication in certain functions.
A remote attacker could possibly use this issue to perform a
person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-13920)
Gregor Tudan discovered that Apache ActiveMQ incorrectly handled
LDAP authentication. A remote attacker could possibly use this issue
to acquire unauthenticated access. This issue only affected Ubuntu 16.04
LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26117)
It was discovered that Apache ActiveMQ incorrectly handled
authentication. A remote attacker could possibly use this issue to run
arbitrary code. (CVE-2022-41678)
It was discovered that Apache ActiveMQ incorrectly handled
deserialization. A remote attacker could possibly use this issue to run
arbitrary shell commands. (CVE-2023-46604)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
activemq 5.16.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
libactivemq-java 5.16.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
activemq 5.15.11-1ubuntu0.1~esm1
Available with Ubuntu Pro
libactivemq-java 5.15.11-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
activemq 5.15.8-2~18.04.1~esm1
Available with Ubuntu Pro
libactivemq-java 5.15.8-2~18.04.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
activemq 5.13.2+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
libactivemq-java 5.13.2+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6910-1
CVE-2015-7559, CVE-2018-11775, CVE-2020-13920, CVE-2021-26117,
CVE-2022-41678, CVE-2023-46604
[USN-6530-2] HAProxy vulnerability
protected-headers="v1"
From: Vyom Yadav <vyom.yadav@canonical.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <ca756453-235a-43ab-8261-5180e960e1dd@canonical.com&rt;
Subject: [USN-6530-2] HAProxy vulnerability
--------------DvBWsLZMF3u7mRg6qrcnv2G0
==========================================================================
Ubuntu Security Notice USN-6530-2
July 23, 2024
haproxy vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
HAProxy could be made to expose sensitive information.
Software Description:
- haproxy: fast and reliable load balancing reverse proxy
Details:
Seth Manesse and Paul Plasil discovered that HAProxy incorrectly handled
URI components containing the hash character (#). A remote attacker could
possibly use this issue to obtain sensitive information, or to bypass
certain path_end rules.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
haproxy 1.8.8-1ubuntu0.13+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
haproxy 1.6.3-1ubuntu0.3+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6530-2
https://ubuntu.com/security/notices/USN-6530-1
CVE-2023-45539
--------------DvBWsLZMF3u7mRg6qrcnv2G0--
[USN-6907-1] Squid vulnerability
protected-headers="v1"
From: Vyom Yadav <vyom.yadav@canonical.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <63b09662-1499-4219-870c-5868aa52b221@canonical.com&rt;
Subject: [USN-6907-1] Squid vulnerability
--------------6HXMhWDfVGZ4uUQbCPexccCb
=========================================================================
Ubuntu Security Notice USN-6907-1
July 23, 2024
squid, squid3 vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Squid could be made to crash if it processed specially crafted characters.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Joshua Rogers discovered that Squid did not properly handle multi-byte
characters during Edge Side Includes (ESI) processing. A remote attacker
could possibly use this issue to cause a memory corruption error, leading
to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
squid 6.6-1ubuntu5.1
Ubuntu 22.04 LTS
squid 5.9-0ubuntu0.22.04.2
Ubuntu 20.04 LTS
squid 4.10-1ubuntu1.13
Ubuntu 18.04 LTS
squid 3.5.27-1ubuntu1.14+esm3
Available with Ubuntu Pro
squid3 3.5.27-1ubuntu1.14+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
squid 3.5.12-1ubuntu7.16+esm4
Available with Ubuntu Pro
squid3 3.5.12-1ubuntu7.16+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6907-1
CVE-2024-37894
Package Information:
https://launchpad.net/ubuntu/+source/squid/6.6-1ubuntu5.1
https://launchpad.net/ubuntu/+source/squid/5.9-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.13
--------------6HXMhWDfVGZ4uUQbCPexccCb--
[USN-6911-1] Nova vulnerability
==========================================================================
Ubuntu Security Notice USN-6911-1
July 23, 2024
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Nova would allow unintended access to files over the network.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Arnaud Morin discovered that Nova incorrectly handled certain raw format
images. An authenticated user could use this issue to access arbitrary
files on the server, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
nova-common 3:29.0.1-0ubuntu1.4
python3-nova 3:29.0.1-0ubuntu1.4
Ubuntu 22.04 LTS
nova-common 3:25.2.1-0ubuntu2.6
python3-nova 3:25.2.1-0ubuntu2.6
Ubuntu 20.04 LTS
nova-common 2:21.2.4-0ubuntu2.11
python3-nova 2:21.2.4-0ubuntu2.11
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6911-1
CVE-2024-40767
Package Information:
https://launchpad.net/ubuntu/+source/nova/3:29.0.1-0ubuntu1.4
https://launchpad.net/ubuntu/+source/nova/3:25.2.1-0ubuntu2.6
https://launchpad.net/ubuntu/+source/nova/2:21.2.4-0ubuntu2.11
[USN-6908-1] Tomcat vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6908-1
July 23, 2024
tomcat vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Tomcat.
Software Description:
- tomcat7: Servlet 3.0 and JSP 2.2 Java API classes
Details:
It was discovered that the Tomcat SSI printenv command echoed user
provided data without escaping it. An attacker could possibly use this
issue to perform an XSS attack. (CVE-2019-0221)
It was discovered that Tomcat incorrectly handled certain uncommon
PersistenceManager with FileStore configurations. A remote attacker could
possibly use this issue to execute arbitrary code.
(CVE-2020-9484, CVE-2021-25329)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
libservlet3.0-java 7.0.78-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libservlet3.0-java 7.0.68-1ubuntu0.4+esm2
Available with Ubuntu Pro
libtomcat7-java 7.0.68-1ubuntu0.4+esm2
Available with Ubuntu Pro
tomcat7 7.0.68-1ubuntu0.4+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libservlet3.0-java 7.0.52-1ubuntu0.16+esm1
Available with Ubuntu Pro
libtomcat7-java 7.0.52-1ubuntu0.16+esm1
Available with Ubuntu Pro
tomcat7 7.0.52-1ubuntu0.16+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6908-1
CVE-2019-0221, CVE-2020-9484, CVE-2021-25329