[USN-6851-2] Netplan regression
[USN-6844-2] CUPS regression
[USN-6860-1] OpenVPN vulnerabilities
[USN-6851-2] Netplan regression
==========================================================================
Ubuntu Security Notice USN-6851-2
June 28, 2024
netplan.io regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
USN-6851-1 caused systemctl enable to fail
Software Description:
- netplan.io: Declarative network configuration for various backends
Details:
USN-6851-1 fixed vulnerabilities in Netplan. The update lead to the
discovery of
a regression in netplan which caused systemctl enable to fail on systems
without
dbus. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Andreas Hasenack discovered that netplan incorrectly handled the permissions
for netdev files containing wireguard configuration. An attacker could use
this to obtain wireguard secret keys.
It was discovered that netplan configuration could be manipulated into
injecting
arbitrary commands while setting up network interfaces. An attacker could
use this to execute arbitrary commands or escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libnetplan1 1.0-2ubuntu1.2
netplan-generator 1.0-2ubuntu1.2
netplan.io 1.0-2ubuntu1.2
Ubuntu 23.10
libnetplan0 0.107-5ubuntu0.4
netplan-generator 0.107-5ubuntu0.4
netplan.io 0.107-5ubuntu0.4
Ubuntu 22.04 LTS
libnetplan0 0.106.1-7ubuntu0.22.04.4
netplan.io 0.106.1-7ubuntu0.22.04.4
Ubuntu 20.04 LTS
libnetplan0 0.104-0ubuntu2~20.04.6
netplan.io 0.104-0ubuntu2~20.04.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6851-2
https://ubuntu.com/security/notices/USN-6851-1
https://launchpad.net/bugs/2071333
Package Information:
https://launchpad.net/ubuntu/+source/netplan.io/1.0-2ubuntu1.2
https://launchpad.net/ubuntu/+source/netplan.io/0.107-5ubuntu0.4
https://launchpad.net/ubuntu/+source/netplan.io/0.106.1-7ubuntu0.22.04.4
https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2~20.04.6
[USN-6844-2] CUPS regression
==========================================================================
Ubuntu Security Notice USN-6844-2
June 28, 2024
cups regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-6844-1 caused the cupsd daemon to never start
Software Description:
- cups: Common UNIX Printing System(tm)
Details:
USN-6844-1 fixed vulnerabilities in the CUPS package. The update
lead to the discovery of a regression in CUPS with regards to
how the cupsd daemon handles Listen configuration directive.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Rory McNamara discovered that when starting the cupsd server with a
Listen configuration item, the cupsd process fails to validate if
bind call passed. An attacker could possibly trick cupsd to perform
an arbitrary chmod of the provided argument, providing world-writable
access to the target.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
cups 2.4.7-1.2ubuntu7.2
cups-daemon 2.4.7-1.2ubuntu7.2
Ubuntu 23.10
cups 2.4.6-0ubuntu3.2
cups-daemon 2.4.6-0ubuntu3.2
Ubuntu 22.04 LTS
cups 2.4.1op1-1ubuntu4.10
cups-daemon 2.4.1op1-1ubuntu4.10
Ubuntu 20.04 LTS
cups 2.3.1-9ubuntu1.8
cups-daemon 2.3.1-9ubuntu1.8
Ubuntu 18.04 LTS
cups 2.2.7-1ubuntu2.10+esm5
Available with Ubuntu Pro
cups-daemon 2.2.7-1ubuntu2.10+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
cups 2.1.3-4ubuntu0.11+esm7
Available with Ubuntu Pro
cups-daemon 2.1.3-4ubuntu0.11+esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6844-2
( https://ubuntu.com/security/notices/USN-6844-2)
https://ubuntu.com/security/notices/USN-6844-1
( https://ubuntu.com/security/notices/USN-6844-1)
https://launchpad.net/bugs/2070315 ( https://launchpad.net/bugs/2070315)
Package Information:
https://launchpad.net/ubuntu/+source/cups/2.4.7-1.2ubuntu7.2
( https://launchpad.net/ubuntu/+source/cups/2.4.7-1.2ubuntu7.2)
https://launchpad.net/ubuntu/+source/cups/2.4.6-0ubuntu3.2
( https://launchpad.net/ubuntu/+source/cups/2.4.6-0ubuntu3.2)
https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.10
( https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.10)
https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.8
( https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.8)
[USN-6860-1] OpenVPN vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6860-1
July 02, 2024
openvpn vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenVPN.
Software Description:
- openvpn: virtual private network software
Details:
Reynir Björnsson discovered that OpenVPN incorrectly handled terminating
client connections. A remote authenticated client could possibly use this
issue to keep the connection active, bypassing certain security policies.
This issue only affected Ubuntu 23.10, and Ubuntu 24.04 LTS.
(CVE-2024-28882)
Reynir Björnsson discovered that OpenVPN incorrectly handled certain
control channel messages with nonprintable characters. A remote attacker
could possibly use this issue to cause OpenVPN to consume resources, or
fill up log files with garbage, leading to a denial of service.
(CVE-2024-5594)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
openvpn 2.6.9-1ubuntu4.1
Ubuntu 23.10
openvpn 2.6.5-0ubuntu1.2
Ubuntu 22.04 LTS
openvpn 2.5.9-0ubuntu0.22.04.3
Ubuntu 20.04 LTS
openvpn 2.4.12-0ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6860-1
CVE-2024-28882, CVE-2024-5594
Package Information:
https://launchpad.net/ubuntu/+source/openvpn/2.6.9-1ubuntu4.1
https://launchpad.net/ubuntu/+source/openvpn/2.6.5-0ubuntu1.2
https://launchpad.net/ubuntu/+source/openvpn/2.5.9-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/openvpn/2.4.12-0ubuntu0.20.04.2