[USN-6850-1] OpenVPN vulnerability
[USN-6848-1] Roundcube vulnerabilities
[USN-6847-1] libheif vulnerabilities
[USN-6819-4] Linux kernel (Oracle) vulnerabilities
[USN-6843-1] Plasma Workspace vulnerability
[USN-6852-1] Wget vulnerability
[USN-6853-1] Ruby vulnerability
[USN-6566-2] SQLite vulnerability
[USN-6851-1] Netplan vulnerabilities
[USN-6850-1] OpenVPN vulnerability
==========================================================================
Ubuntu Security Notice USN-6850-1
June 26, 2024
openvpn vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
OpenVPN could allow unintended access to network services.
Software Description:
- openvpn: virtual private network software
Details:
It was discovered that OpenVPN incorrectly handled certain configurations
with multiple authentication plugins. A remote attacker could possibly use
this issue to bypass authentication using incomplete credentials.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
openvpn 2.3.10-1ubuntu2.2+esm1
Available with Ubuntu Pro
Ubuntu 14.04 LTS
openvpn 2.3.2-7ubuntu3.2+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6850-1
CVE-2022-0547
[USN-6848-1] Roundcube vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6848-1
June 25, 2024
roundcube vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Roundcube could be made to crash or run programs if it received specially
crafted input.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly
handled certain SVG images. A remote attacker could possibly use this
issue to load arbitrary JavaScript code. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
(CVE-2023-5631)
Rene Rehme discovered that Roundcube incorrectly handled certain headers.
A remote attacker could possibly use this issue to load arbitrary
JavaScript code. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-47272)
Valentin T. and Lutz Wolf discovered that Roundcube incorrectly handled
certain SVG images. A remote attacker could possibly use this issue to
load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2024-37383)
Huy Nguyễn Phạm Nhật discovered that Roundcube incorrectly handled
certain fields in user preferences. A remote attacker could possibly use
this issue to load arbitrary JavaScript code. (CVE-2024-37384)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
roundcube 1.6.2+dfsg-1ubuntu0.2
roundcube-core 1.6.2+dfsg-1ubuntu0.2
Ubuntu 22.04 LTS
roundcube 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
roundcube-core 1.5.0+dfsg.1-2ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
roundcube 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.4.3+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
roundcube 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
roundcube-core 1.3.6+dfsg.1-1ubuntu0.1~esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
roundcube 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
roundcube-core 1.2~beta+dfsg.1-0ubuntu1+esm4
Available with Ubuntu Pro
After a standard system update you need to restart Roundcube to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6848-1
CVE-2023-47272, CVE-2023-5631, CVE-2024-37383, CVE-2024-37384,
https://launchpad.net/bugs/2043396
Package Information:
https://launchpad.net/ubuntu/+source/roundcube/1.6.2+dfsg-1ubuntu0.2
[USN-6847-1] libheif vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6847-1
June 25, 2024
libheif vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
libheif could be made to crash if it opened a specially crafted
file.
Software Description:
- libheif: ISO/IEC 23008-12:2017 HEIF file format decoder - development file
Details:
It was discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-11471)
Reza Mirzazade Farkhani discovered that libheif incorrectly handled
certain image data. An attacker could possibly use this issue to crash the
program, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS. (CVE-2020-23109)
Eugene Lim discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-0996)
Min Jang discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2023-29659)
Yuchuan Meng discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 23.10.
(CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
heif-gdk-pixbuf 1.16.2-2ubuntu1.1
libheif-dev 1.16.2-2ubuntu1.1
libheif-plugin-libde265 1.16.2-2ubuntu1.1
libheif1 1.16.2-2ubuntu1.1
Ubuntu 22.04 LTS
heif-gdk-pixbuf 1.12.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
libheif-dev 1.12.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
libheif1 1.12.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
heif-gdk-pixbuf 1.6.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
libheif-dev 1.6.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
libheif1 1.6.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libheif-dev 1.1.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
libheif1 1.1.0-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6847-1
CVE-2019-11471, CVE-2020-23109, CVE-2023-0996, CVE-2023-29659,
CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464
Package Information:
https://launchpad.net/ubuntu/+source/libheif/1.16.2-2ubuntu1.1
[USN-6819-4] Linux kernel (Oracle) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6819-4
June 26, 2024
linux-oracle-6.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oracle-6.5: Linux kernel for Oracle Cloud systems
Details:
Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly validate H2C PDU data, leading to a null pointer
dereference vulnerability. A remote attacker could use this to cause a
denial of service (system crash). (CVE-2023-6356, CVE-2023-6535,
CVE-2023-6536)
Chenyuan Yang discovered that the RDS Protocol implementation in the Linux
kernel contained an out-of-bounds read vulnerability. An attacker could use
this to possibly cause a denial of service (system crash). (CVE-2024-23849)
It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a null pointer dereference vulnerability. A
privileged local attacker could use this to possibly cause a denial of
service (system crash). (CVE-2024-24860)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- PowerPC architecture;
- RISC-V architecture;
- S390 architecture;
- Core kernel;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- Android drivers;
- Drivers core;
- Power management core;
- Bus devices;
- Device frequency scaling framework;
- DMA engine subsystem;
- EDAC drivers;
- ARM SCMI message protocol;
- GPU drivers;
- IIO ADC drivers;
- InfiniBand drivers;
- IOMMU subsystem;
- Media drivers;
- Multifunction device drivers;
- MTD block device drivers;
- Network drivers;
- NVME drivers;
- Device tree and open firmware driver;
- PCI driver for MicroSemi Switchtec;
- Power supply drivers;
- RPMSG subsystem;
- SCSI drivers;
- QCOM SoC drivers;
- SPMI drivers;
- Thermal drivers;
- TTY drivers;
- VFIO drivers;
- BTRFS file system;
- Ceph distributed file system;
- EFI Variable file system;
- EROFS file system;
- Ext4 file system;
- F2FS file system;
- GFS2 file system;
- JFS file system;
- Network file systems library;
- Network file system server daemon;
- File systems infrastructure;
- Pstore file system;
- ReiserFS file system;
- SMB network file system;
- BPF subsystem;
- Memory management;
- TLS protocol;
- Ethernet bridge;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Logical Link layer;
- MAC80211 subsystem;
- Multipath TCP;
- Netfilter;
- NetLabel subsystem;
- Network traffic control;
- SMC sockets;
- Sun RPC protocol;
- AppArmor security module;
- Intel ASoC drivers;
- MediaTek ASoC drivers;
- USB sound devices;
(CVE-2023-52612, CVE-2024-26808, CVE-2023-52691, CVE-2023-52618,
CVE-2023-52463, CVE-2023-52447, CVE-2024-26668, CVE-2023-52454,
CVE-2024-26670, CVE-2024-26646, CVE-2023-52472, CVE-2024-26586,
CVE-2023-52681, CVE-2023-52453, CVE-2023-52611, CVE-2023-52622,
CVE-2024-26641, CVE-2023-52616, CVE-2024-26592, CVE-2023-52606,
CVE-2024-26620, CVE-2023-52692, CVE-2024-26669, CVE-2023-52623,
CVE-2023-52588, CVE-2024-26616, CVE-2024-26610, CVE-2024-35839,
CVE-2023-52490, CVE-2023-52672, CVE-2024-26612, CVE-2023-52617,
CVE-2023-52697, CVE-2024-26644, CVE-2023-52458, CVE-2023-52598,
CVE-2024-35841, CVE-2023-52664, CVE-2023-52635, CVE-2023-52676,
CVE-2023-52669, CVE-2024-26632, CVE-2023-52486, CVE-2024-26625,
CVE-2023-52608, CVE-2024-26634, CVE-2023-52599, CVE-2024-26618,
CVE-2024-26640, CVE-2023-52489, CVE-2023-52675, CVE-2023-52678,
CVE-2024-26583, CVE-2023-52693, CVE-2023-52498, CVE-2024-26649,
CVE-2023-52670, CVE-2023-52473, CVE-2023-52449, CVE-2023-52667,
CVE-2023-52467, CVE-2023-52686, CVE-2024-26633, CVE-2023-52666,
CVE-2024-35840, CVE-2024-26629, CVE-2024-26595, CVE-2023-52593,
CVE-2023-52687, CVE-2023-52465, CVE-2024-26627, CVE-2023-52493,
CVE-2023-52491, CVE-2024-26636, CVE-2024-26584, CVE-2023-52587,
CVE-2023-52597, CVE-2023-52462, CVE-2023-52633, CVE-2023-52696,
CVE-2024-26585, CVE-2023-52589, CVE-2023-52456, CVE-2023-52470,
CVE-2024-35838, CVE-2024-26645, CVE-2023-52591, CVE-2023-52464,
CVE-2023-52609, CVE-2024-26608, CVE-2023-52450, CVE-2023-52584,
CVE-2023-52469, CVE-2023-52583, CVE-2023-52451, CVE-2023-52495,
CVE-2023-52626, CVE-2023-52595, CVE-2023-52680, CVE-2023-52632,
CVE-2024-26582, CVE-2024-35837, CVE-2023-52494, CVE-2023-52614,
CVE-2023-52443, CVE-2023-52698, CVE-2023-52448, CVE-2024-26615,
CVE-2023-52452, CVE-2023-52492, CVE-2024-26647, CVE-2023-52468,
CVE-2023-52594, CVE-2023-52621, CVE-2024-26638, CVE-2024-26594,
CVE-2024-26673, CVE-2023-52457, CVE-2023-52677, CVE-2023-52607,
CVE-2024-26623, CVE-2023-52488, CVE-2023-52497, CVE-2023-52445,
CVE-2024-26607, CVE-2023-52610, CVE-2024-35842, CVE-2023-52690,
CVE-2023-52683, CVE-2023-52444, CVE-2024-26671, CVE-2023-52455,
CVE-2023-52679, CVE-2024-26598, CVE-2023-52674, CVE-2023-52627,
CVE-2023-52619, CVE-2023-52487, CVE-2023-52446, CVE-2024-35835,
CVE-2023-52682, CVE-2023-52685, CVE-2023-52694, CVE-2024-26631)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-6.5.0-1024-oracle 6.5.0-1024.24~22.04.1
linux-image-6.5.0-1024-oracle-64k 6.5.0-1024.24~22.04.1
linux-image-oracle 6.5.0.1024.24~22.04.1
linux-image-oracle-64k 6.5.0.1024.24~22.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6819-4
https://ubuntu.com/security/notices/USN-6819-1
CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446,
CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450,
CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454,
CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458,
CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465,
CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470,
CVE-2023-52472, CVE-2023-52473, CVE-2023-52486, CVE-2023-52487,
CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491,
CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495,
CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52584,
CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591,
CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597,
CVE-2023-52598, CVE-2023-52599, CVE-2023-52606, CVE-2023-52607,
CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611,
CVE-2023-52612, CVE-2023-52614, CVE-2023-52616, CVE-2023-52617,
CVE-2023-52618, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622,
CVE-2023-52623, CVE-2023-52626, CVE-2023-52627, CVE-2023-52632,
CVE-2023-52633, CVE-2023-52635, CVE-2023-52664, CVE-2023-52666,
CVE-2023-52667, CVE-2023-52669, CVE-2023-52670, CVE-2023-52672,
CVE-2023-52674, CVE-2023-52675, CVE-2023-52676, CVE-2023-52677,
CVE-2023-52678, CVE-2023-52679, CVE-2023-52680, CVE-2023-52681,
CVE-2023-52682, CVE-2023-52683, CVE-2023-52685, CVE-2023-52686,
CVE-2023-52687, CVE-2023-52690, CVE-2023-52691, CVE-2023-52692,
CVE-2023-52693, CVE-2023-52694, CVE-2023-52696, CVE-2023-52697,
CVE-2023-52698, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536,
CVE-2024-23849, CVE-2024-24860, CVE-2024-26582, CVE-2024-26583,
CVE-2024-26584, CVE-2024-26585, CVE-2024-26586, CVE-2024-26592,
CVE-2024-26594, CVE-2024-26595, CVE-2024-26598, CVE-2024-26607,
CVE-2024-26608, CVE-2024-26610, CVE-2024-26612, CVE-2024-26615,
CVE-2024-26616, CVE-2024-26618, CVE-2024-26620, CVE-2024-26623,
CVE-2024-26625, CVE-2024-26627, CVE-2024-26629, CVE-2024-26631,
CVE-2024-26632, CVE-2024-26633, CVE-2024-26634, CVE-2024-26636,
CVE-2024-26638, CVE-2024-26640, CVE-2024-26641, CVE-2024-26644,
CVE-2024-26645, CVE-2024-26646, CVE-2024-26647, CVE-2024-26649,
CVE-2024-26668, CVE-2024-26669, CVE-2024-26670, CVE-2024-26671,
CVE-2024-26673, CVE-2024-26808, CVE-2024-35835, CVE-2024-35837,
CVE-2024-35838, CVE-2024-35839, CVE-2024-35840, CVE-2024-35841,
CVE-2024-35842
Package Information:
https://launchpad.net/ubuntu/+source/linux-oracle-6.5/6.5.0-1024.24~22.04.1
[USN-6843-1] Plasma Workspace vulnerability
==========================================================================
Ubuntu Security Notice USN-6843-1
June 26, 2024
plasma-workspace vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
plasma-workspace would allow unintended access to the session manager.
Software Description:
- plasma-workspace: Plasma Workspace for KF5
Details:
Fabian Vogt discovered that Plasma Workspace incorrectly handled
connections via ICE. A local attacker could possibly use this issue to
gain access to another user's session manager and execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
plasma-workspace 4:5.27.11-0ubuntu4.1
Ubuntu 23.10
plasma-workspace 4:5.27.8-0ubuntu1.1
Ubuntu 22.04 LTS
plasma-workspace 4:5.24.7-0ubuntu0.2
Ubuntu 20.04 LTS
plasma-workspace 4:5.18.8-0ubuntu0.2
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6843-1
CVE-2024-36041
Package Information:
https://launchpad.net/ubuntu/+source/plasma-workspace/4:5.27.11-0ubuntu4.1
https://launchpad.net/ubuntu/+source/plasma-workspace/4:5.27.8-0ubuntu1.1
https://launchpad.net/ubuntu/+source/plasma-workspace/4:5.24.7-0ubuntu0.2
https://launchpad.net/ubuntu/+source/plasma-workspace/4:5.18.8-0ubuntu0.2
[USN-6852-1] Wget vulnerability
==========================================================================
Ubuntu Security Notice USN-6852-1
June 26, 2024
wget vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Wget could be made to connect to a different host than expected.
Software Description:
- wget: retrieves files from the web
Details:
It was discovered that Wget incorrectly handled semicolons in the userinfo
subcomponent of a URI. A remote attacker could possibly trick a user into
connecting to a different host than expected.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
wget 1.21.4-1ubuntu4.1
Ubuntu 23.10
wget 1.21.3-1ubuntu1.1
Ubuntu 22.04 LTS
wget 1.21.2-2ubuntu1.1
Ubuntu 20.04 LTS
wget 1.20.3-1ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6852-1
CVE-2024-38428
Package Information:
https://launchpad.net/ubuntu/+source/wget/1.21.4-1ubuntu4.1
https://launchpad.net/ubuntu/+source/wget/1.21.3-1ubuntu1.1
https://launchpad.net/ubuntu/+source/wget/1.21.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/wget/1.20.3-1ubuntu2.1
[USN-6853-1] Ruby vulnerability
==========================================================================
Ubuntu Security Notice USN-6853-1
June 26, 2024
ruby2.7, ruby3.0, ruby3.1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Ruby could be made to crash or expose sensitive information login if it
processed certain strings.
Software Description:
- ruby3.1: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language
- ruby2.7: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled the ungetbyte and ungetc
methods. A remote attacker could use this issue to cause Ruby to crash,
resulting in a denial of service, or possibly obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
libruby3.1 3.1.2-7ubuntu3.3
ruby3.1 3.1.2-7ubuntu3.3
Ubuntu 22.04 LTS
libruby3.0 3.0.2-7ubuntu2.7
ruby3.0 3.0.2-7ubuntu2.7
Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.14
ruby2.7 2.7.0-5ubuntu1.14
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6853-1
CVE-2024-27280
Package Information:
https://launchpad.net/ubuntu/+source/ruby3.1/3.1.2-7ubuntu3.3
https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.7
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.14
[USN-6566-2] SQLite vulnerability
==========================================================================
Ubuntu Security Notice USN-6566-2
June 26, 2024
sqlite3 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
SQLite could be made to crash if it received specially crafted
input.
Software Description:
- sqlite3: C library that implements an SQL database engine
Details:
USN-6566-1 fixed several vulnerabilities in SQLite. This update provides
the corresponding fix for CVE-2023-7104 for Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that SQLite incorrectly handled certain memory operations
in the sessions extension. A remote attacker could possibly use this issue
to cause SQLite to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
libsqlite3-0 3.22.0-1ubuntu0.7+esm1
Available with Ubuntu Pro
libsqlite3-dev 3.22.0-1ubuntu0.7+esm1
Available with Ubuntu Pro
libsqlite3-tcl 3.22.0-1ubuntu0.7+esm1
Available with Ubuntu Pro
sqlite3 3.22.0-1ubuntu0.7+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6566-2
https://ubuntu.com/security/notices/USN-6566-1
CVE-2023-7104
[USN-6851-1] Netplan vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6851-1
June 26, 2024
netplan.io vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Netplan could reveal secrets or execute commands with specially crafted
configuration file.
Software Description:
- netplan.io: Declarative network configuration for various backends
Details:
Andreas Hasenack discovered that netplan incorrectly handled the permissions
for netdev files containing wireguard configuration. An attacker could use this to obtain
wireguard secret keys.
It was discovered that netplan configuration could be manipulated into injecting
arbitrary commands while setting up network interfaces. An attacker could
use this to execute arbitrary commands or escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libnetplan1 1.0-2ubuntu1.1
netplan-generator 1.0-2ubuntu1.1
netplan.io 1.0-2ubuntu1.1
Ubuntu 23.10
libnetplan0 0.107-5ubuntu0.3
netplan-generator 0.107-5ubuntu0.3
netplan.io 0.107-5ubuntu0.3
Ubuntu 22.04 LTS
libnetplan0 0.106.1-7ubuntu0.22.04.3
netplan.io 0.106.1-7ubuntu0.22.04.3
Ubuntu 20.04 LTS
libnetplan0 0.104-0ubuntu2~20.04.5
netplan.io 0.104-0ubuntu2~20.04.5
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6851-1
CVE-2022-4968, https://launchpad.net/bugs/1987842, https://launchpad.net/bugs/2065738, https://launchpad.net/bugs/2066258
Package Information:
https://launchpad.net/ubuntu/+source/netplan.io/1.0-2ubuntu1.1
https://launchpad.net/ubuntu/+source/netplan.io/0.107-5ubuntu0.3
https://launchpad.net/ubuntu/+source/netplan.io/0.106.1-7ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2~20.04.5
