Ubuntu 6587 Published by

Updates for PostgreSQL, Python-cryptography, and BlueZ are now available for Ubuntu Linux:

[USN-6538-1] PostgreSQL vulnerabilities
[USN-6539-1] python-cryptography vulnerabilities
[USN-6540-1] BlueZ vulnerability




[USN-6538-1] PostgreSQL vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6538-1
December 06, 2023

postgresql-12, postgresql-14, postgresql-15 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-15: Object-relational SQL database
- postgresql-14: Object-relational SQL database
- postgresql-12: Object-relational SQL database

Details:

Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown
arguments in aggregate function calls. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2023-5868)

Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying
certain SQL array values. A remote attacker could use this issue to obtain
sensitive information, or possibly execute arbitrary code. (CVE-2023-5869)

Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL
allowed the pg_signal_backend role to signal certain superuser processes,
contrary to expectations. (CVE-2023-5870)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
postgresql-15 15.5-0ubuntu0.23.10.1
postgresql-client-15 15.5-0ubuntu0.23.10.1

Ubuntu 23.04:
postgresql-15 15.5-0ubuntu0.23.04.1
postgresql-client-15 15.5-0ubuntu0.23.04.1

Ubuntu 22.04 LTS:
postgresql-14 14.10-0ubuntu0.22.04.1
postgresql-client-14 14.10-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
postgresql-12 12.17-0ubuntu0.20.04.1
postgresql-client-12 12.17-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6538-1
CVE-2023-5868, CVE-2023-5869, CVE-2023-5870

Package Information:
https://launchpad.net/ubuntu/+source/postgresql-15/15.5-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/postgresql-15/15.5-0ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/postgresql-14/14.10-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/postgresql-12/12.17-0ubuntu0.20.04.1



[USN-6539-1] python-cryptography vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6539-1
December 06, 2023

python-cryptography vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in python-cryptography.

Software Description:
- python-cryptography: Cryptography Python library

Details:

It was discovered that the python-cryptography Cipher.update_into function
would incorrectly accept objects with immutable buffers. This would result
in corrupted output, contrary to expectations. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931)

It was dicovered that python-cryptography incorrectly handled loading
certain PKCS7 certificates. A remote attacker could possibly use this
issue to cause python-cryptography to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and
Ubuntu 23.10. (CVE-2023-49083)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
python3-cryptography 38.0.4-4ubuntu0.23.10.1

Ubuntu 23.04:
python3-cryptography 38.0.4-2ubuntu0.1

Ubuntu 22.04 LTS:
python3-cryptography 3.4.8-1ubuntu2.1

Ubuntu 20.04 LTS:
python-cryptography 2.8-3ubuntu0.2
python3-cryptography 2.8-3ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6539-1
CVE-2023-23931, CVE-2023-49083

Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-4ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/3.4.8-1ubuntu2.1
https://launchpad.net/ubuntu/+source/python-cryptography/2.8-3ubuntu0.2



[USN-6540-1] BlueZ vulnerability


==========================================================================
Ubuntu Security Notice USN-6540-1
December 07, 2023

bluez vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

BlueZ could be made to give a physically proximate attacker keyboard and
mouse control of a computer.

Software Description:
- bluez: Bluetooth tools and daemons

Details:

It was discovered that BlueZ did not properly restrict non-bonded devices
from injecting HID events into the input subsystem. This could allow a
physically proximate attacker to inject keystrokes and execute arbitrary
commands whilst the device is discoverable.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
bluez 5.68-0ubuntu1.1
libbluetooth3 5.68-0ubuntu1.1

Ubuntu 23.04:
bluez 5.66-0ubuntu1.1
libbluetooth3 5.66-0ubuntu1.1

Ubuntu 22.04 LTS:
bluez 5.64-0ubuntu1.1
libbluetooth3 5.64-0ubuntu1.1

Ubuntu 20.04 LTS:
bluez 5.53-0ubuntu3.7
libbluetooth3 5.53-0ubuntu3.7

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
bluez 5.48-0ubuntu3.9+esm1
libbluetooth3 5.48-0ubuntu3.9+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
bluez 5.37-0ubuntu5.3+esm3
libbluetooth3 5.37-0ubuntu5.3+esm3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6540-1
CVE-2023-45866

Package Information:
https://launchpad.net/ubuntu/+source/bluez/5.68-0ubuntu1.1
https://launchpad.net/ubuntu/+source/bluez/5.66-0ubuntu1.1
https://launchpad.net/ubuntu/+source/bluez/5.64-0ubuntu1.1
https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.7