[USN-6689-1] Rack vulnerabilities
[USN-6690-1] Open vSwitch vulnerabilities
[USN-6692-1] Gson vulnerability
[USN-6691-1] OVN vulnerability
[USN-6656-2] PostgreSQL vulnerability
[USN-6693-1] .NET vulnerability
[USN-6689-1] Rack vulnerabilities
=========================================================================
Ubuntu Security Notice USN-6689-1
March 12, 2024
ruby-rack vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
Summary:
Rack could be made do denial of service if it received a specially
crafted header.
Software Description:
- ruby-rack: modular Ruby webserver interface
Details:
It was discovered that Rack incorrectly parse some headers.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
ruby-rack 2.2.4-3ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6689-1
CVE-2023-27539, CVE-2024-26141, CVE-2024-26146
Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.4-3ubuntu0.1
[USN-6690-1] Open vSwitch vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6690-1
March 12, 2024
openvswitch vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Open vSwitch.
Software Description:
- openvswitch: Ethernet virtual switch
Details:
Timothy Redaelli and Haresh Khandelwal discovered that Open vSwitch
incorrectly handled certain crafted Geneve packets when hardware offloading
via the netlink path is enabled. A remote attacker could possibly use this
issue to cause Open vSwitch to crash, leading to a denial of service.
(CVE-2023-3966)
It was discovered that Open vSwitch incorrectly handled certain ICMPv6
Neighbor Advertisement packets. A remote attacker could possibly use this
issue to redirect traffic to arbitrary IP addresses. (CVE-2023-5366)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openvswitch-common 3.2.2-0ubuntu0.23.10.1
python3-openvswitch 3.2.2-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
openvswitch-common 2.17.9-0ubuntu0.22.04.1
python3-openvswitch 2.17.9-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
openvswitch-common 2.13.8-0ubuntu1.4
python3-openvswitch 2.13.8-0ubuntu1.4
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-6690-1
CVE-2023-3966, CVE-2023-5366
Package Information:
https://launchpad.net/ubuntu/+source/openvswitch/3.2.2-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/openvswitch/2.17.9-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/openvswitch/2.13.8-0ubuntu1.4
[USN-6692-1] Gson vulnerability
==========================================================================
Ubuntu Security Notice USN-6692-1
March 12, 2024
libgoogle-gson-java vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Gson could be made to crash if it opened a specially crafted
file.
Software Description:
- libgoogle-gson-java: A Java serialization/deserialization library to convert
Java Objects into JSON and back
Details:
It was discovered that Gson incorrectly handled deserialization of untrusted
input data. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libgoogle-gson-java 2.8.8-1ubuntu0.1
Ubuntu 20.04 LTS:
libgoogle-gson-java 2.8.5-3+deb10u1build0.20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libgoogle-gson-java 2.8.5-3~18.04.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libgoogle-gson-java 2.4-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6692-1
CVE-2022-25647
Package Information:
https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libgoogle-gson-java/2.8.5-3+deb10u1build0.20.04.1
[USN-6691-1] OVN vulnerability
==========================================================================
Ubuntu Security Notice USN-6691-1
March 12, 2024
ovn vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
OVN could be made to disrupt traffic.
Software Description:
- ovn: system to support virtual network abstraction
Details:
It was discovered that OVN incorrectly enabled OVS Bidirectional Forwarding
Detection on logical ports. A remote attacker could possibly use this issue
to disrupt traffic.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
ovn-central 23.09.0-1ubuntu0.1
ovn-common 23.09.0-1ubuntu0.1
ovn-host 23.09.0-1ubuntu0.1
ovn-ic 23.09.0-1ubuntu0.1
Ubuntu 22.04 LTS:
ovn-central 22.03.3-0ubuntu0.22.04.2
ovn-common 22.03.3-0ubuntu0.22.04.2
ovn-host 22.03.3-0ubuntu0.22.04.2
ovn-ic 22.03.3-0ubuntu0.22.04.2
Ubuntu 20.04 LTS:
ovn-central 20.03.2-0ubuntu0.20.04.5
ovn-common 20.03.2-0ubuntu0.20.04.5
ovn-host 20.03.2-0ubuntu0.20.04.5
ovn-ic 20.03.2-0ubuntu0.20.04.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6691-1
CVE-2024-2182
Package Information:
https://launchpad.net/ubuntu/+source/ovn/23.09.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ovn/22.03.3-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/ovn/20.03.2-0ubuntu0.20.04.5
[USN-6656-2] PostgreSQL vulnerability
==========================================================================
Ubuntu Security Notice USN-6656-2
March 12, 2024
postgresql-9.5 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
PostgreSQL could be made to run arbitrary SQL.
Software Description:
- postgresql-9.5: Object-relational SQL database
Details:
USN-6656-1 fixed several vulnerabilities in PostgreSQL. This update provides
the corresponding updates for Ubuntu 16.04 LTS
Original advisory details:
It was discovered that PostgreSQL incorrectly handled dropping privileges
when handling REFRESH MATERIALIZED VIEW CONCURRENTLY commands. If a user or
automatic system were tricked into running a specially crafted command, a
remote attacker could possibly use this issue to execute arbitrary SQL
functions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
postgresql-9.5 9.5.25-0ubuntu0.16.04.1+esm7
postgresql-client-9.5 9.5.25-0ubuntu0.16.04.1+esm7
After a standard system update you need to restart PostgreSQL to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6656-2
https://ubuntu.com/security/notices/USN-6656-1
CVE-2024-0985
[USN-6693-1] .NET vulnerability
==========================================================================
Ubuntu Security Notice USN-6693-1
March 12, 2024
dotnet7, dotnet8 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
Summary:
.NET could be made to crash if it processed specially crafted requests.
Software Description:
- dotnet7: .NET CLI tools and runtime
- dotnet8: .NET CLI tools and runtime
Details:
It was discovered that .NET did not properly handle certain specially
crafted requests. An attacker could potentially use this issue to cause
a resource leak, leading to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
aspnetcore-runtime-7.0 7.0.117-0ubuntu1~23.10.1
aspnetcore-runtime-8.0 8.0.3-0ubuntu1~23.10.1
dotnet-runtime-7.0 7.0.117-0ubuntu1~23.10.1
dotnet-runtime-8.0 8.0.3-0ubuntu1~23.10.1
dotnet7 7.0.117-0ubuntu1~23.10.1
dotnet8 8.0.103-8.0.3-0ubuntu1~23.10.1
Ubuntu 22.04 LTS:
aspnetcore-runtime-7.0 7.0.117-0ubuntu1~22.04.1
aspnetcore-runtime-8.0 8.0.3-0ubuntu1~22.04.1
dotnet-runtime-7.0 7.0.117-0ubuntu1~22.04.1
dotnet-runtime-8.0 8.0.3-0ubuntu1~22.04.1
dotnet7 7.0.117-0ubuntu1~22.04.1
dotnet8 8.0.103-8.0.3-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6693-1
CVE-2024-21392
Package Information:
https://launchpad.net/ubuntu/+source/dotnet7/7.0.117-0ubuntu1~23.10.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.103-8.0.3-0ubuntu1~23.10.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.117-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.103-8.0.3-0ubuntu1~22.04.1
