Salt and Kerberos updates for Ubuntu

Ubuntu 6509 Published 2024-08-08 23:13 by Philipp Esselbach

News

The following updates are available for Ubuntu Linux:

[USN-6948-1] Salt vulnerabilities
[USN-6947-1] Kerberos vulnerabilities

[USN-6948-1] Salt vulnerabilities

=========================================================================
Ubuntu Security Notice USN-6948-1
August 08, 2024

salt vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Salt.

Software Description:
- salt: Infrastructure management built on a dynamic communication bus

Details:

It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2020-16846)

It was discovered that Salt incorrectly created certificates with weak
file permissions. (CVE-2020-17490)

It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to bypass authentication.
(CVE-2020-25592)

It was discovered that Salt incorrectly handled crafted process names.
An attacker could possibly use this issue to run arbitrary commands.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28243)

It was discovered that Salt incorrectly handled validation of SSL/TLS
certificates. A remote attacker could possibly use this issue to spoof
a trusted entity. (CVE-2020-28972, CVE-2020-35662)

It was discovered that Salt incorrectly handled credential validation.
A remote attacker could possibly use this issue to run arbitrary code.
(CVE-2021-25281)

It was discovered that Salt incorrectly handled crafted paths. A remote
attacker could possibly use this issue to perform directory traversal.
(CVE-2021-25282)

It was discovered that Salt incorrectly handled template rendering. A
remote attacker could possibly this issue to run arbitrary code.
(CVE-2021-25283)

It was discovered that Salt incorrectly handled logging. An attacker
could possibly use this issue to discover credentials. This issue only
affected Ubuntu 18.04 LTS. (CVE-2021-25284)

It was discovered that Salt incorrectly handled crafted web requests.
A remote attacker could possibly use this issue to run arbitrary
commands. This issue only affected Ubuntu 18.04 LTS. (CVE-2021-3148)

It was discovered that Salt incorrectly handled input sanitization.
A remote attacker could possibly use this issue to run arbitrary
commands. (CVE-2021-3197)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
salt-common 2017.7.4+dfsg1-1ubuntu18.04.2+esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
salt-common 2015.8.8+ds-1ubuntu0.1+esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6948-1
CVE-2020-16846, CVE-2020-17490, CVE-2020-25592, CVE-2020-28243,
CVE-2020-28972, CVE-2020-35662, CVE-2021-25281, CVE-2021-25282,
CVE-2021-25283, CVE-2021-25284, CVE-2021-3148, CVE-2021-3197

[USN-6947-1] Kerberos vulnerabilities

==========================================================================

Ubuntu Security Notice USN-6947-1
August 08, 2024

krb5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted
input.

Software Description:
- krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled GSS message tokens
where an unwrapped token could appear to be truncated. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2024-37370)

It was discovered that Kerberos incorrectly handled GSS message tokens
when sent a token with invalid length fields. An attacker could possibly
use this issue to cause a denial of service. (CVE-2024-37371)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
krb5-admin-server 1.20.1-6ubuntu2.1
krb5-kdc 1.20.1-6ubuntu2.1
krb5-kdc-ldap 1.20.1-6ubuntu2.1
krb5-otp 1.20.1-6ubuntu2.1
krb5-pkinit 1.20.1-6ubuntu2.1
krb5-user 1.20.1-6ubuntu2.1
libgssapi-krb5-2 1.20.1-6ubuntu2.1
libgssrpc4t64 1.20.1-6ubuntu2.1
libk5crypto3 1.20.1-6ubuntu2.1
libkadm5clnt-mit12 1.20.1-6ubuntu2.1
libkadm5srv-mit12 1.20.1-6ubuntu2.1
libkdb5-10t64 1.20.1-6ubuntu2.1
libkrad0 1.20.1-6ubuntu2.1
libkrb5-3 1.20.1-6ubuntu2.1
libkrb5support0 1.20.1-6ubuntu2.1

Ubuntu 22.04 LTS
krb5-admin-server 1.19.2-2ubuntu0.4
krb5-kdc 1.19.2-2ubuntu0.4
krb5-kdc-ldap 1.19.2-2ubuntu0.4
krb5-otp 1.19.2-2ubuntu0.4
krb5-pkinit 1.19.2-2ubuntu0.4
krb5-user 1.19.2-2ubuntu0.4
libgssapi-krb5-2 1.19.2-2ubuntu0.4
libgssrpc4 1.19.2-2ubuntu0.4
libk5crypto3 1.19.2-2ubuntu0.4
libkadm5clnt-mit12 1.19.2-2ubuntu0.4
libkadm5srv-mit12 1.19.2-2ubuntu0.4
libkdb5-10 1.19.2-2ubuntu0.4
libkrad0 1.19.2-2ubuntu0.4
libkrb5-3 1.19.2-2ubuntu0.4
libkrb5support0 1.19.2-2ubuntu0.4

Ubuntu 20.04 LTS
krb5-admin-server 1.17-6ubuntu4.6
krb5-kdc 1.17-6ubuntu4.6
krb5-kdc-ldap 1.17-6ubuntu4.6
krb5-otp 1.17-6ubuntu4.6
krb5-pkinit 1.17-6ubuntu4.6
krb5-user 1.17-6ubuntu4.6
libgssapi-krb5-2 1.17-6ubuntu4.6
libgssrpc4 1.17-6ubuntu4.6
libk5crypto3 1.17-6ubuntu4.6
libkadm5clnt-mit11 1.17-6ubuntu4.6
libkadm5srv-mit11 1.17-6ubuntu4.6
libkdb5-9 1.17-6ubuntu4.6
libkrad0 1.17-6ubuntu4.6
libkrb5-3 1.17-6ubuntu4.6
libkrb5support0 1.17-6ubuntu4.6

Ubuntu 18.04 LTS
krb5-admin-server 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-kdc 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-kdc-ldap 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-otp 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-pkinit 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-user 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libgssapi-krb5-2 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libgssrpc4 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libk5crypto3 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkadm5clnt-mit11 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkadm5srv-mit11 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkdb5-9 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrad0 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrb5-3 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrb5support0 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
krb5-admin-server 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-kdc 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-kdc-ldap 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-otp 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-pkinit 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-user 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libgssapi-krb5-2 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libgssrpc4 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libk5crypto3 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkadm5clnt-mit9 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkadm5srv-mit9 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkdb5-8 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrad0 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrb5-3 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrb5support0 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro

Ubuntu 14.04 LTS
krb5-admin-server 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-kdc 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-kdc-ldap 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-otp 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-pkinit 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-user 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libgssapi-krb5-2 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libgssrpc4 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libk5crypto3 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5clnt-mit9 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5srv-mit8 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5srv-mit9 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkdb5-7 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrad0 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrb5-3 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrb5support0 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6947-1
( https://ubuntu.com/security/notices/USN-6947-1)
CVE-2024-37370, CVE-2024-37371

Package Information:
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1
( https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1)
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4
( https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4)
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6
( https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6)

Python3-dnf-plugin-ulninfo, Libtiff, mdadm updates for Oracle Linux

Thunderbird, Odoo, Roundcube, Chromium updates for Debian

Salt and Kerberos updates for Ubuntu

[USN-6948-1] Salt vulnerabilities

[USN-6947-1] Kerberos vulnerabilities

Windows

Linux

macOS

Community