Ubuntu 6586 Published by

The following security updates are available for Ubuntu Linux:

[USN-6928-1] Python vulnerabilities
[USN-6924-2] Linux kernel vulnerabilities
[USN-6929-1] OpenJDK 8 vulnerabilities
[USN-6931-1] OpenJDK 17 vulnerabilities
[USN-6932-1] OpenJDK 21 vulnerabilities
[USN-6930-1] OpenJDK 11 vulnerabilities




[USN-6928-1] Python vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6928-1
July 30, 2024

python3.10, python3.8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:
- python3.10: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language

Details:

It was discovered that the Python ssl module contained a memory race
condition when handling the APIs to obtain the CA certificates and
certificate store statistics. This could possibly result in applications
obtaining wrong results, leading to various SSL issues. (CVE-2024-0397)

It was discovered that the Python ipaddress module contained incorrect
information about which IP address ranges were considered "private" or
"globally reachable". This could possibly result in applications applying
incorrect security policies. (CVE-2024-4032)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
python3.10 3.10.12-1~22.04.5
python3.10-minimal 3.10.12-1~22.04.5

Ubuntu 20.04 LTS
python3.8 3.8.10-0ubuntu1~20.04.11
python3.8-minimal 3.8.10-0ubuntu1~20.04.11

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6928-1
CVE-2024-0397, CVE-2024-4032

Package Information:
https://launchpad.net/ubuntu/+source/python3.10/3.10.12-1~22.04.5
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.11



[USN-6924-2] Linux kernel vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6924-2
July 30, 2024

linux-aws, linux-aws-5.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM SCMI message protocol;
- InfiniBand drivers;
- TTY drivers;
- TLS protocol;
(CVE-2022-48655, CVE-2024-36016, CVE-2024-26584, CVE-2021-47131,
CVE-2024-26907, CVE-2024-26585, CVE-2024-26583)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1129-aws 5.4.0-1129.139
linux-image-aws-lts-20.04 5.4.0.1129.126

Ubuntu 18.04 LTS
linux-image-5.4.0-1129-aws 5.4.0-1129.139~18.04.1
Available with Ubuntu Pro
linux-image-aws 5.4.0.1129.139~18.04.1
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6924-2
https://ubuntu.com/security/notices/USN-6924-1
CVE-2021-47131, CVE-2022-48655, CVE-2024-26583, CVE-2024-26584,
CVE-2024-26585, CVE-2024-26907, CVE-2024-36016

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1129.139



[USN-6929-1] OpenJDK 8 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6929-1
July 31, 2024

openjdk-8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:
- openjdk-8: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 8 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 8 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 8 did not properly
perform range check elimination. An attacker could possibly use this issue
to cause a denial of service, execute arbitrary code or bypass Java
sandbox restrictions. (CVE-2024-21140)

Yakov Shafranovich discovered that the Concurrency component of OpenJDK 8
incorrectly performed header validation in the Pack200 archive format. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21144)

Sergey Bylokhov discovered that OpenJDK 8 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openjdk-8-jdk 8u422-b05-1~24.04
openjdk-8-jdk-headless 8u422-b05-1~24.04
openjdk-8-jre 8u422-b05-1~24.04
openjdk-8-jre-headless 8u422-b05-1~24.04
openjdk-8-jre-zero 8u422-b05-1~24.04

Ubuntu 22.04 LTS
openjdk-8-jdk 8u422-b05-1~22.04
openjdk-8-jdk-headless 8u422-b05-1~22.04
openjdk-8-jre 8u422-b05-1~22.04
openjdk-8-jre-headless 8u422-b05-1~22.04
openjdk-8-jre-zero 8u422-b05-1~22.04

Ubuntu 20.04 LTS
openjdk-8-jdk 8u422-b05-1~20.04
openjdk-8-jdk-headless 8u422-b05-1~20.04
openjdk-8-jre 8u422-b05-1~20.04
openjdk-8-jre-headless 8u422-b05-1~20.04
openjdk-8-jre-zero 8u422-b05-1~20.04

Ubuntu 18.04 LTS
openjdk-8-jdk 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre-headless 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre-zero 8u422-b05-1~18.04
Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6929-1
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144,
CVE-2024-21145, CVE-2024-21147

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~24.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~22.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~20.04



[USN-6931-1] OpenJDK 17 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6931-1
July 31, 2024

openjdk-17 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenJDK 17.

Software Description:
- openjdk-17: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 17 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 17 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 17 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Sergey Bylokhov discovered that OpenJDK 17 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 17 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openjdk-17-jdk 17.0.12+7-1ubuntu2~24.04
openjdk-17-jdk-headless 17.0.12+7-1ubuntu2~24.04
openjdk-17-jre 17.0.12+7-1ubuntu2~24.04
openjdk-17-jre-headless 17.0.12+7-1ubuntu2~24.04
openjdk-17-jre-zero 17.0.12+7-1ubuntu2~24.04

Ubuntu 22.04 LTS
openjdk-17-jdk 17.0.12+7-1ubuntu2~22.04
openjdk-17-jdk-headless 17.0.12+7-1ubuntu2~22.04
openjdk-17-jre 17.0.12+7-1ubuntu2~22.04
openjdk-17-jre-headless 17.0.12+7-1ubuntu2~22.04
openjdk-17-jre-zero 17.0.12+7-1ubuntu2~22.04

Ubuntu 20.04 LTS
openjdk-17-jdk 17.0.12+7-1ubuntu2~20.04
openjdk-17-jdk-headless 17.0.12+7-1ubuntu2~20.04
openjdk-17-jre 17.0.12+7-1ubuntu2~20.04
openjdk-17-jre-headless 17.0.12+7-1ubuntu2~20.04
openjdk-17-jre-zero 17.0.12+7-1ubuntu2~20.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6931-1
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145,
CVE-2024-21147

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.12+7-1ubuntu2~24.04
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.12+7-1ubuntu2~22.04
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.12+7-1ubuntu2~20.04



[USN-6932-1] OpenJDK 21 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6932-1
July 31, 2024

openjdk-21 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenJDK 21.

Software Description:
- openjdk-21: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 21 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 21 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 21 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Sergey Bylokhov discovered that OpenJDK 21 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 21 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openjdk-21-jdk 21.0.4+7-1ubuntu2~24.04
openjdk-21-jdk-headless 21.0.4+7-1ubuntu2~24.04
openjdk-21-jre 21.0.4+7-1ubuntu2~24.04
openjdk-21-jre-headless 21.0.4+7-1ubuntu2~24.04
openjdk-21-jre-zero 21.0.4+7-1ubuntu2~24.04

Ubuntu 22.04 LTS
openjdk-21-jdk 21.0.4+7-1ubuntu2~22.04
openjdk-21-jdk-headless 21.0.4+7-1ubuntu2~22.04
openjdk-21-jre 21.0.4+7-1ubuntu2~22.04
openjdk-21-jre-headless 21.0.4+7-1ubuntu2~22.04
openjdk-21-jre-zero 21.0.4+7-1ubuntu2~22.04

Ubuntu 20.04 LTS
openjdk-21-jdk 21.0.4+7-1ubuntu2~20.04
openjdk-21-jdk-headless 21.0.4+7-1ubuntu2~20.04
openjdk-21-jre 21.0.4+7-1ubuntu2~20.04
openjdk-21-jre-headless 21.0.4+7-1ubuntu2~20.04
openjdk-21-jre-zero 21.0.4+7-1ubuntu2~20.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6932-1
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145,
CVE-2024-21147

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.4+7-1ubuntu2~24.04
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.4+7-1ubuntu2~22.04
https://launchpad.net/ubuntu/+source/openjdk-21/21.0.4+7-1ubuntu2~20.04



[USN-6930-1] OpenJDK 11 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6930-1
July 31, 2024

openjdk-lts vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenJDK 11.

Software Description:
- openjdk-lts: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 11 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 11 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 11 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Yakov Shafranovich discovered that the Concurrency component of OpenJDK 11
incorrectly performed header validation in the Pack200 archive format. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21144)

Sergey Bylokhov discovered that OpenJDK 11 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 11 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openjdk-11-jdk 11.0.24+8-1ubuntu3~24.04.1
openjdk-11-jdk-headless 11.0.24+8-1ubuntu3~24.04.1
openjdk-11-jre 11.0.24+8-1ubuntu3~24.04.1
openjdk-11-jre-headless 11.0.24+8-1ubuntu3~24.04.1
openjdk-11-jre-zero 11.0.24+8-1ubuntu3~24.04.1

Ubuntu 22.04 LTS
openjdk-11-jdk 11.0.24+8-1ubuntu3~22.04
openjdk-11-jdk-headless 11.0.24+8-1ubuntu3~22.04
openjdk-11-jre 11.0.24+8-1ubuntu3~22.04
openjdk-11-jre-headless 11.0.24+8-1ubuntu3~22.04
openjdk-11-jre-zero 11.0.24+8-1ubuntu3~22.04

Ubuntu 20.04 LTS
openjdk-11-jdk 11.0.24+8-1ubuntu3~20.04
openjdk-11-jdk-headless 11.0.24+8-1ubuntu3~20.04
openjdk-11-jre 11.0.24+8-1ubuntu3~20.04
openjdk-11-jre-headless 11.0.24+8-1ubuntu3~20.04
openjdk-11-jre-zero 11.0.24+8-1ubuntu3~20.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6930-1
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144,
CVE-2024-21145, CVE-2024-21147

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.24+8-1ubuntu3~24.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.24+8-1ubuntu3~22.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.24+8-1ubuntu3~20.04