Ubuntu 6614 Published by

The following updates are available for Ubuntu Linux:

[USN-6728-2] Squid regression
[USN-6730-1] Apache Maven Shared Utils vulnerability
[USN-6727-2] NSS regression
[USN-6729-1] Apache HTTP Server vulnerabilities




[USN-6728-2] Squid regression


==========================================================================
Ubuntu Security Notice USN-6728-2
April 11, 2024

squid regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6728-1 introduced a regression in Squid.

Software Description:
- squid: Web proxy cache server

Details:

USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic
fix has been reverted pending further investigation.

We apologize for the inconvenience.

Original advisory details:

Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)
Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A remote attacker could possibly use this issue to cause Squid to
stop responding, resulting in a denial of service. (CVE-2024-25111)
Joshua Rogers discovered that Squid incorrectly handled HTTP header
parsing. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-25617)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.11

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6728-2
https://ubuntu.com/security/notices/USN-6728-1
https://launchpad.net/bugs/2060880

Package Information:
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.11



[USN-6730-1] Apache Maven Shared Utils vulnerability


==========================================================================
Ubuntu Security Notice USN-6730-1
April 11, 2024

maven-shared-utils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

maven-shared-utils could be made to run programs if it received
specially crafted input.

Software Description:
- - maven-shared-utils: A collection of Maven utility classes.

Details:

It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 3.3.0-1ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.9-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6730-1
CVE-2022-29599

Package Information:
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1



[USN-6727-2] NSS regression


==========================================================================
Ubuntu Security Notice USN-6727-2
April 11, 2024

nss regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

USN-6727-1 introduced a regression in NSS.

Software Description:
- nss: Network Security Service library

Details:

USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression
when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)
It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)
It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)
The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libnss3 2:3.98-0ubuntu0.22.04.2

Ubuntu 20.04 LTS:
libnss3 2:3.98-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6727-2
https://ubuntu.com/security/notices/USN-6727-1
https://launchpad.net/bugs/2060906

Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.20.04.2



[USN-6729-1] Apache HTTP Server vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6729-1
April 11, 2024

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)

Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)

Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
apache2 2.4.57-2ubuntu2.4

Ubuntu 22.04 LTS:
apache2 2.4.52-1ubuntu4.9

Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.17

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6729-1
CVE-2023-38709, CVE-2024-24795, CVE-2024-27316

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.57-2ubuntu2.4
https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.9
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.17