[USN-6728-2] Squid regression
[USN-6730-1] Apache Maven Shared Utils vulnerability
[USN-6727-2] NSS regression
[USN-6729-1] Apache HTTP Server vulnerabilities
[USN-6728-2] Squid regression
==========================================================================
Ubuntu Security Notice USN-6728-2
April 11, 2024
squid regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
USN-6728-1 introduced a regression in Squid.
Software Description:
- squid: Web proxy cache server
Details:
USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic
fix has been reverted pending further investigation.
We apologize for the inconvenience.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)
Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A remote attacker could possibly use this issue to cause Squid to
stop responding, resulting in a denial of service. (CVE-2024-25111)
Joshua Rogers discovered that Squid incorrectly handled HTTP header
parsing. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-25617)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.11
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6728-2
https://ubuntu.com/security/notices/USN-6728-1
https://launchpad.net/bugs/2060880
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.11
[USN-6730-1] Apache Maven Shared Utils vulnerability
==========================================================================
Ubuntu Security Notice USN-6730-1
April 11, 2024
maven-shared-utils vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
maven-shared-utils could be made to run programs if it received
specially crafted input.
Software Description:
- - maven-shared-utils: A collection of Maven utility classes.
Details:
It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.22.04.1
Ubuntu 20.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 3.3.0-1ubuntu0.18.04.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.9-1ubuntu0.1~esm1
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.4-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6730-1
CVE-2022-29599
Package Information:
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1
[USN-6727-2] NSS regression
==========================================================================
Ubuntu Security Notice USN-6727-2
April 11, 2024
nss regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
USN-6727-1 introduced a regression in NSS.
Software Description:
- nss: Network Security Service library
Details:
USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression
when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)
It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)
It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)
The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libnss3 2:3.98-0ubuntu0.22.04.2
Ubuntu 20.04 LTS:
libnss3 2:3.98-0ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6727-2
https://ubuntu.com/security/notices/USN-6727-1
https://launchpad.net/bugs/2060906
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.20.04.2
[USN-6729-1] Apache HTTP Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6729-1
April 11, 2024
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)
Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)
Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
apache2 2.4.57-2ubuntu2.4
Ubuntu 22.04 LTS:
apache2 2.4.52-1ubuntu4.9
Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.17
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6729-1
CVE-2023-38709, CVE-2024-24795, CVE-2024-27316
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.57-2ubuntu2.4
https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.9
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.17
