Ubuntu 6614 Published by

The following updates are available for Ubuntu Linux:

[USN-6689-1] Rack vulnerabilities
[USN-6690-1] Open vSwitch vulnerabilities
[USN-6692-1] Gson vulnerability
[USN-6691-1] OVN vulnerability
[USN-6656-2] PostgreSQL vulnerability
[USN-6693-1] .NET vulnerability




[USN-6689-1] Rack vulnerabilities


=========================================================================
Ubuntu Security Notice USN-6689-1
March 12, 2024

ruby-rack vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10

Summary:

Rack could be made do denial of service if it received a specially
crafted header.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly parse some headers.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
ruby-rack 2.2.4-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6689-1
CVE-2023-27539, CVE-2024-26141, CVE-2024-26146

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.4-3ubuntu0.1



[USN-6690-1] Open vSwitch vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6690-1
March 12, 2024

openvswitch vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Open vSwitch.

Software Description:
- openvswitch: Ethernet virtual switch

Details:

Timothy Redaelli and Haresh Khandelwal discovered that Open vSwitch
incorrectly handled certain crafted Geneve packets when hardware offloading
via the netlink path is enabled. A remote attacker could possibly use this
issue to cause Open vSwitch to crash, leading to a denial of service.
(CVE-2023-3966)

It was discovered that Open vSwitch incorrectly handled certain ICMPv6
Neighbor Advertisement packets. A remote attacker could possibly use this
issue to redirect traffic to arbitrary IP addresses. (CVE-2023-5366)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
openvswitch-common 3.2.2-0ubuntu0.23.10.1
python3-openvswitch 3.2.2-0ubuntu0.23.10.1

Ubuntu 22.04 LTS:
openvswitch-common 2.17.9-0ubuntu0.22.04.1
python3-openvswitch 2.17.9-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
openvswitch-common 2.13.8-0ubuntu1.4
python3-openvswitch 2.13.8-0ubuntu1.4

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-6690-1
CVE-2023-3966, CVE-2023-5366

Package Information:
https://launchpad.net/ubuntu/+source/openvswitch/3.2.2-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/openvswitch/2.17.9-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/openvswitch/2.13.8-0ubuntu1.4



[USN-6692-1] Gson vulnerability


==========================================================================
Ubuntu Security Notice USN-6692-1
March 12, 2024

libgoogle-gson-java vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Gson could be made to crash if it opened a specially crafted
file.

Software Description:
- libgoogle-gson-java: A Java serialization/deserialization library to convert
Java Objects into JSON and back

Details:

It was discovered that Gson incorrectly handled deserialization of untrusted
input data. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libgoogle-gson-java 2.8.8-1ubuntu0.1

Ubuntu 20.04 LTS:
libgoogle-gson-java 2.8.5-3+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libgoogle-gson-java 2.8.5-3~18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libgoogle-gson-java 2.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6692-1
CVE-2022-25647

Package Information:
https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.8-1ubuntu0.1

https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.5-3+deb10u1build0.20.04.1



[USN-6691-1] OVN vulnerability


==========================================================================
Ubuntu Security Notice USN-6691-1
March 12, 2024

ovn vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

OVN could be made to disrupt traffic.

Software Description:
- ovn: system to support virtual network abstraction

Details:

It was discovered that OVN incorrectly enabled OVS Bidirectional Forwarding
Detection on logical ports. A remote attacker could possibly use this issue
to disrupt traffic.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
ovn-central 23.09.0-1ubuntu0.1
ovn-common 23.09.0-1ubuntu0.1
ovn-host 23.09.0-1ubuntu0.1
ovn-ic 23.09.0-1ubuntu0.1

Ubuntu 22.04 LTS:
ovn-central 22.03.3-0ubuntu0.22.04.2
ovn-common 22.03.3-0ubuntu0.22.04.2
ovn-host 22.03.3-0ubuntu0.22.04.2
ovn-ic 22.03.3-0ubuntu0.22.04.2

Ubuntu 20.04 LTS:
ovn-central 20.03.2-0ubuntu0.20.04.5
ovn-common 20.03.2-0ubuntu0.20.04.5
ovn-host 20.03.2-0ubuntu0.20.04.5
ovn-ic 20.03.2-0ubuntu0.20.04.5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6691-1
CVE-2024-2182

Package Information:
https://launchpad.net/ubuntu/+source/ovn/23.09.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ovn/22.03.3-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/ovn/20.03.2-0ubuntu0.20.04.5



[USN-6656-2] PostgreSQL vulnerability


==========================================================================
Ubuntu Security Notice USN-6656-2
March 12, 2024

postgresql-9.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

PostgreSQL could be made to run arbitrary SQL.

Software Description:
- postgresql-9.5: Object-relational SQL database

Details:

USN-6656-1 fixed several vulnerabilities in PostgreSQL. This update provides
the corresponding updates for Ubuntu 16.04 LTS

Original advisory details:

It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
postgresql-9.5 9.5.25-0ubuntu0.16.04.1+esm7
postgresql-client-9.5 9.5.25-0ubuntu0.16.04.1+esm7

After a standard system update you need to restart PostgreSQL to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6656-2
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985



[USN-6693-1] .NET vulnerability


==========================================================================
Ubuntu Security Notice USN-6693-1
March 12, 2024

dotnet7, dotnet8 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS

Summary:

.NET could be made to crash if it processed specially crafted requests.

Software Description:
- dotnet7: .NET CLI tools and runtime
- dotnet8: .NET CLI tools and runtime

Details:

It was discovered that .NET did not properly handle certain specially
crafted requests. An attacker could potentially use this issue to cause
a resource leak, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  aspnetcore-runtime-7.0      7.0.117-0ubuntu1~23.10.1
  aspnetcore-runtime-8.0      8.0.3-0ubuntu1~23.10.1
  dotnet-runtime-7.0              7.0.117-0ubuntu1~23.10.1
  dotnet-runtime-8.0              8.0.3-0ubuntu1~23.10.1
  dotnet7                                  7.0.117-0ubuntu1~23.10.1
  dotnet8 8.0.103-8.0.3-0ubuntu1~23.10.1

Ubuntu 22.04 LTS:
  aspnetcore-runtime-7.0      7.0.117-0ubuntu1~22.04.1
  aspnetcore-runtime-8.0      8.0.3-0ubuntu1~22.04.1
  dotnet-runtime-7.0              7.0.117-0ubuntu1~22.04.1
  dotnet-runtime-8.0              8.0.3-0ubuntu1~22.04.1
  dotnet7                                  7.0.117-0ubuntu1~22.04.1
  dotnet8 8.0.103-8.0.3-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6693-1
  CVE-2024-21392

Package Information:
https://launchpad.net/ubuntu/+source/dotnet7/7.0.117-0ubuntu1~23.10.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.103-8.0.3-0ubuntu1~23.10.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.117-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.103-8.0.3-0ubuntu1~22.04.1