[USN-6663-3] OpenSSL update
[USN-6783-1] VLC vulnerabilities
[USN-6736-2] klibc vulnerabilities
[USN-6777-4] Linux kernel (HWE) vulnerabilities
[USN-6785-1] GNOME Remote Desktop vulnerability
[USN-6784-1] cJSON vulnerabilities
[USN-6663-3] OpenSSL update
==========================================================================
Ubuntu Security Notice USN-6663-3
May 23, 2024
openssl update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Add implicit rejection in PKCS#1 v1.5 in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-6663-1 provided a security update for OpenSSL.
This update provides the corresponding update for
Ubuntu 24.04 LTS.
Original advisory details:
As a security improvement, OpenSSL will now
return deterministic random bytes instead of an error
when detecting wrong padding in PKCS#1 v1.5 RSA
to prevent its use in possible Bleichenbacher timing attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libssl-doc 3.0.13-0ubuntu3.1
libssl3t64 3.0.13-0ubuntu3.1
openssl 3.0.13-0ubuntu3.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6663-3
https://ubuntu.com/security/notices/USN-6663-1
https://launchpad.net/bugs/2054090
Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.1
[USN-6783-1] VLC vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6783-1
May 22, 2024
vlc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
VLC could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- vlc: multimedia player and streamer
Details:
It was discovered that VLC incorrectly handled certain media files.
A remote attacker could possibly use this issue to cause VLC to crash,
resulting in a denial of service, or potential arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
vlc 3.0.18-4ubuntu0.1
vlc-plugin-base 3.0.18-4ubuntu0.1
Ubuntu 22.04 LTS
vlc 3.0.16-1ubuntu0.1~esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.16-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 20.04 LTS
vlc 3.0.9.2-1ubuntu0.1~esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.9.2-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
vlc 3.0.8-0ubuntu18.04.1+esm2
Available with Ubuntu Pro
vlc-plugin-base 3.0.8-0ubuntu18.04.1+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
vlc 2.2.2-5ubuntu0.16.04.5+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6783-1
CVE-2023-47359, CVE-2023-47360
Package Information:
https://launchpad.net/ubuntu/+source/vlc/3.0.18-4ubuntu0.1
[USN-6736-2] klibc vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6736-2
May 23, 2024
klibc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in klibc.
Software Description:
- klibc: small utilities built with klibc for early boot
Details:
USN-6736-1 fixed vulnerabilities in klibc. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that zlib, vendored in klibc, incorrectly handled
pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly
handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2022-37434)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
klibc-utils 2.0.13-4ubuntu0.1
libklibc 2.0.13-4ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6736-2
https://ubuntu.com/security/notices/USN-6736-1
CVE-2016-9840, CVE-2016-9841, CVE-2018-25032, CVE-2022-37434
Package Information:
https://launchpad.net/ubuntu/+source/klibc/2.0.13-4ubuntu0.1
[USN-6777-4] Linux kernel (HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6777-4
May 23, 2024
linux-aws-hwe vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
Details:
Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Userspace I/O drivers;
- Ceph distributed file system;
- Ext4 file system;
- JFS file system;
- NILFS2 file system;
- Bluetooth subsystem;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Logical Link layer;
- MAC80211 subsystem;
- Netlink;
- NFC subsystem;
- Tomoyo security module;
(CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439,
CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704,
CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622,
CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
linux-image-4.15.0-1168-aws 4.15.0-1168.181~16.04.1
Available with Ubuntu Pro
linux-image-aws-hwe 4.15.0.1168.181~16.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6777-4
https://ubuntu.com/security/notices/USN-6777-1
CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524,
CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601,
CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622,
CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801,
CVE-2024-26805
[USN-6785-1] GNOME Remote Desktop vulnerability
==========================================================================
Ubuntu Security Notice USN-6785-1
May 23, 2024
gnome-remote-desktop vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
GNOME Remote Desktop would allow unintended access to sensitive information
or remote desktop connections.
Software Description:
- gnome-remote-desktop: Remote desktop daemon for GNOME
Details:
Matthias Gerstner discovered that GNOME Remote Desktop incorrectly
performed certain user validation checks. A local attacker could possibly
use this issue to obtain sensitive information, or take control of remote
desktop connections.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
gnome-remote-desktop 46.2-1~ubuntu24.04.2
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6785-1
CVE-2024-5148
Package Information:
https://launchpad.net/ubuntu/+source/gnome-remote-desktop/46.2-1~ubuntu24.04.2
[USN-6784-1] cJSON vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6784-1
May 23, 2024
cjson vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
cJSON could be made to crash if it received specially crafted
input.
Software Description:
- cjson: Ultralightweight JSON parser in ANSI C (development files)
Details:
It was discovered that cJSON incorrectly handled certain input. An
attacker could possibly use this issue to cause cJSON to crash, resulting
in a denial of service. This issue only affected Ubuntu 22.04 LTS and
Ubuntu 23.10. (CVE-2023-50471, CVE-2023-50472)
Luo Jin discovered that cJSON incorrectly handled certain input. An
attacker could possibly use this issue to cause cJSON to crash, resulting
in a denial of service. (CVE-2024-31755)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libcjson1 1.7.17-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 23.10
libcjson1 1.7.16-1ubuntu0.2
Ubuntu 22.04 LTS
libcjson1 1.7.15-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6784-1
CVE-2023-50471, CVE-2023-50472, CVE-2024-31755
Package Information:
https://launchpad.net/ubuntu/+source/cjson/1.7.16-1ubuntu0.2
