[USN-6592-1] libssh vulnerabilities
[USN-6593-1] GnuTLS vulnerabilities
[USN-6587-2] X.Org X Server vulnerabilities
[USN-6591-1] Postfix vulnerability
[USN-6594-1] Squid vulnerabilities
[USN-6592-1] libssh vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6592-1
January 22, 2024
libssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in libssh.
Software Description:
- libssh: A tiny C SSH library
Details:
It was discovered that libssh incorrectly handled the ProxyCommand and the
ProxyJump features. A remote attacker could possibly use this issue to
inject malicious code into the command of the features mentioned through
the hostname parameter. (CVE-2023-6004)
It was discovered that libssh incorrectly handled return codes when
performing message digest operations. A remote attacker could possibly use
this issue to cause libssh to crash, obtain sensitive information, or
execute arbitrary code. (CVE-2023-6918)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libssh-4 0.10.5-3ubuntu1.2
Ubuntu 23.04:
libssh-4 0.10.4-2ubuntu0.3
Ubuntu 22.04 LTS:
libssh-4 0.9.6-2ubuntu0.22.04.3
Ubuntu 20.04 LTS:
libssh-4 0.9.3-2ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6592-1
CVE-2023-6004, CVE-2023-6918
Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.10.5-3ubuntu1.2
https://launchpad.net/ubuntu/+source/libssh/0.10.4-2ubuntu0.3
https://launchpad.net/ubuntu/+source/libssh/0.9.6-2ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/libssh/0.9.3-2ubuntu2.5
[USN-6593-1] GnuTLS vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6593-1
January 22, 2024
gnutls28 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in GnuTLS.
Software Description:
- gnutls28: GNU TLS library
Details:
It was discovered that GnuTLS had a timing side-channel when processing
malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could
possibly use this issue to recover sensitive information. (CVE-2024-0553)
It was discovered that GnuTLS incorrectly handled certain certificate
chains with a cross-signing loop. A remote attacker could possibly use this
issue to cause GnuTLS to crash, resulting in a denial of service. This
issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
(CVE-2024-0567)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libgnutls30 3.8.1-4ubuntu1.2
Ubuntu 23.04:
libgnutls30 3.7.8-5ubuntu1.2
Ubuntu 22.04 LTS:
libgnutls30 3.7.3-4ubuntu1.4
Ubuntu 20.04 LTS:
libgnutls30 3.6.13-2ubuntu1.10
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6593-1
CVE-2024-0553, CVE-2024-0567
Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.8.1-4ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.7.8-5ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.4
https://launchpad.net/ubuntu/+source/gnutls28/3.6.13-2ubuntu1.10
[USN-6587-2] X.Org X Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6587-2
January 22, 2024
xorg-server vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in X.Org X Server.
Software Description:
- xorg-server: X.Org X11 server
Details:
USN-6587-1 fixed several vulnerabilities in X.Org. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An
attacker could possibly use this issue to cause the X Server to crash,
obtain sensitive information, or execute arbitrary code. (CVE-2023-6816)
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
reattaching to a different master device. An attacker could use this issue
to cause the X Server to crash, leading to a denial of service, or possibly
execute arbitrary code. (CVE-2024-0229)
Olivier Fourdan and Donn Seeley discovered that the X.Org X Server
incorrectly labeled GLX PBuffers when used with SELinux. An attacker could
use this issue to cause the X Server to crash, leading to a denial of
service. (CVE-2024-0408)
Olivier Fourdan discovered that the X.Org X Server incorrectly handled
the curser code when used with SELinux. An attacker could use this issue to
cause the X Server to crash, leading to a denial of service.
(CVE-2024-0409)
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the XISendDeviceHierarchyEvent API. An attacker
could possibly use this issue to cause the X Server to crash, or execute
arbitrary code. (CVE-2024-21885)
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
devices being disabled. An attacker could possibly use this issue to cause
the X Server to crash, or execute arbitrary code. (CVE-2024-21886)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm4
xwayland 2:1.19.6-1ubuntu4.15+esm4
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm9
xwayland 2:1.18.4-0ubuntu0.12+esm9
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6587-2
https://ubuntu.com/security/notices/USN-6587-1
CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409,
CVE-2024-21885, CVE-2024-21886
[USN-6591-1] Postfix vulnerability
==========================================================================
Ubuntu Security Notice USN-6591-1
January 22, 2024
postfix vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Postfix could allow bypass of email authentication if it received
specially crafted network traffic.
Software Description:
- postfix: High-performance mail transport agent
Details:
Timo Longin discovered that Postfix incorrectly handled certain email line
endings. A remote attacker could possibly use this issue to bypass an email
authentication mechanism, allowing domain spoofing and potential spamming.
Please note that certain configuration changes are required to address
this issue. They are not enabled by default for backward compatibility.
Information can be found at https://www.postfix.org/smtp-smuggling.html.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
postfix 3.8.1-2ubuntu0.1
Ubuntu 22.04 LTS:
postfix 3.6.4-1ubuntu1.2
Ubuntu 20.04 LTS:
postfix 3.4.13-0ubuntu1.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
postfix 3.3.0-1ubuntu0.4+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
postfix 3.1.0-3ubuntu0.4+esm2
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
postfix 2.11.0-1ubuntu1.2+esm2
After a standard system update you need to enable
smtpd_forbid_bare_newline in your configuration and reload it to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6591-1
CVE-2023-51764, https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2049337
Package Information:
https://launchpad.net/ubuntu/+source/postfix/3.8.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/3.6.4-1ubuntu1.2
https://launchpad.net/ubuntu/+source/postfix/3.4.13-0ubuntu1.3
[USN-6594-1] Squid vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6594-1
January 23, 2024
squid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
Details:
Joshua Rogers discovered that Squid incorrectly handled HTTP message
processing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49285)
Joshua Rogers discovered that Squid incorrectly handled Helper process
management. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49286)
Joshua Rogers discovered that Squid incorrectly handled HTTP request
parsing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-50269)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
squid 6.1-2ubuntu1.2
Ubuntu 23.04:
squid 5.7-1ubuntu3.2
Ubuntu 22.04 LTS:
squid 5.7-0ubuntu0.22.04.3
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.9
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6594-1
CVE-2023-49285, CVE-2023-49286, CVE-2023-50269
Package Information:
https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.2
https://launchpad.net/ubuntu/+source/squid/5.7-1ubuntu3.2
https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.9
