Ubuntu 6614 Published by

The following security update has been released for Ubuntu Linux:

[USN-6663-3] OpenSSL update
[USN-6783-1] VLC vulnerabilities
[USN-6736-2] klibc vulnerabilities
[USN-6777-4] Linux kernel (HWE) vulnerabilities
[USN-6785-1] GNOME Remote Desktop vulnerability
[USN-6784-1] cJSON vulnerabilities




[USN-6663-3] OpenSSL update


==========================================================================
Ubuntu Security Notice USN-6663-3
May 23, 2024

openssl update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Add implicit rejection in PKCS#1 v1.5 in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-6663-1 provided a security update for OpenSSL.
This update provides the corresponding update for
Ubuntu 24.04 LTS.

Original advisory details:

 As a security improvement, OpenSSL will now
 return deterministic random bytes instead of an error
 when detecting wrong padding in PKCS#1 v1.5 RSA
 to prevent its use in possible Bleichenbacher timing attacks.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  libssl-doc                      3.0.13-0ubuntu3.1
  libssl3t64                      3.0.13-0ubuntu3.1
  openssl                         3.0.13-0ubuntu3.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6663-3
  https://ubuntu.com/security/notices/USN-6663-1
  https://launchpad.net/bugs/2054090

Package Information:
  https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.1



[USN-6783-1] VLC vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6783-1
May 22, 2024

vlc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

VLC could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- vlc: multimedia player and streamer

Details:

It was discovered that VLC incorrectly handled certain media files.
A remote attacker could possibly use this issue to cause VLC to crash,
resulting in a denial of service, or potential arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
vlc 3.0.18-4ubuntu0.1
vlc-plugin-base 3.0.18-4ubuntu0.1

Ubuntu 22.04 LTS
vlc 3.0.16-1ubuntu0.1~esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.16-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 20.04 LTS
vlc 3.0.9.2-1ubuntu0.1~esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.9.2-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
vlc 3.0.8-0ubuntu18.04.1+esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.8-0ubuntu18.04.1+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
vlc 2.2.2-5ubuntu0.16.04.5+esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6783-1
CVE-2023-47359, CVE-2023-47360

Package Information:
https://launchpad.net/ubuntu/+source/vlc/3.0.18-4ubuntu0.1



[USN-6736-2] klibc vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6736-2
May 23, 2024

klibc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in klibc.

Software Description:
- klibc: small utilities built with klibc for early boot

Details:

USN-6736-1 fixed vulnerabilities in klibc. This update provides the
corresponding updates for Ubuntu 24.04 LTS.

Original advisory details:

 It was discovered that zlib, vendored in klibc, incorrectly handled
pointer
 arithmetic. An attacker could use this issue to cause klibc to crash or to
 possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)

 Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
 memory when performing certain deflating operations. An attacker could use
 this issue to cause klibc to crash or to possibly execute arbitrary code.
 (CVE-2018-25032)

 Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly
handled
 memory when performing certain inflate operations. An attacker could use
 this issue to cause klibc to crash or to possibly execute arbitrary code.
 (CVE-2022-37434)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
   klibc-utils                     2.0.13-4ubuntu0.1
   libklibc                         2.0.13-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6736-2
   https://ubuntu.com/security/notices/USN-6736-1
   CVE-2016-9840, CVE-2016-9841, CVE-2018-25032, CVE-2022-37434

Package Information:
   https://launchpad.net/ubuntu/+source/klibc/2.0.13-4ubuntu0.1



[USN-6777-4] Linux kernel (HWE) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6777-4
May 23, 2024

linux-aws-hwe vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems

Details:

Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Userspace I/O drivers;
- Ceph distributed file system;
- Ext4 file system;
- JFS file system;
- NILFS2 file system;
- Bluetooth subsystem;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Logical Link layer;
- MAC80211 subsystem;
- Netlink;
- NFC subsystem;
- Tomoyo security module;
(CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439,
CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704,
CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622,
CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1168-aws 4.15.0-1168.181~16.04.1
Available with Ubuntu Pro
linux-image-aws-hwe 4.15.0.1168.181~16.04.1
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6777-4
https://ubuntu.com/security/notices/USN-6777-1
CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524,
CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601,
CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622,
CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801,
CVE-2024-26805



[USN-6785-1] GNOME Remote Desktop vulnerability


==========================================================================
Ubuntu Security Notice USN-6785-1
May 23, 2024

gnome-remote-desktop vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

GNOME Remote Desktop would allow unintended access to sensitive information
or remote desktop connections.

Software Description:
- gnome-remote-desktop: Remote desktop daemon for GNOME

Details:

Matthias Gerstner discovered that GNOME Remote Desktop incorrectly
performed certain user validation checks. A local attacker could possibly
use this issue to obtain sensitive information, or take control of remote
desktop connections.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
gnome-remote-desktop 46.2-1~ubuntu24.04.2

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6785-1
CVE-2024-5148

Package Information:
https://launchpad.net/ubuntu/+source/gnome-remote-desktop/46.2-1~ubuntu24.04.2



[USN-6784-1] cJSON vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6784-1
May 23, 2024

cjson vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS

Summary:

cJSON could be made to crash if it received specially crafted
input.

Software Description:
- cjson: Ultralightweight JSON parser in ANSI C (development files)

Details:

It was discovered that cJSON incorrectly handled certain input. An
attacker could possibly use this issue to cause cJSON to crash, resulting
in a denial of service. This issue only affected Ubuntu 22.04 LTS and
Ubuntu 23.10. (CVE-2023-50471, CVE-2023-50472)

Luo Jin discovered that cJSON incorrectly handled certain input. An
attacker could possibly use this issue to cause cJSON to crash, resulting
in a denial of service. (CVE-2024-31755)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libcjson1 1.7.17-1ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 23.10
libcjson1 1.7.16-1ubuntu0.2

Ubuntu 22.04 LTS
libcjson1 1.7.15-1ubuntu0.1~esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6784-1
CVE-2023-50471, CVE-2023-50472, CVE-2024-31755

Package Information:
https://launchpad.net/ubuntu/+source/cjson/1.7.16-1ubuntu0.2