[USN-6719-2] util-linux vulnerability
[USN-6728-1] Squid vulnerabilities
[USN-6727-1] NSS vulnerabilities
[USN-6719-2] util-linux vulnerability
==========================================================================
Ubuntu Security Notice USN-6719-2
April 10, 2024
util-linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
util-linux could be made to expose sensitive information.
Software Description:
- util-linux: miscellaneous system utilities
Details:
USN-6719-1 fixed a vulnerability in util-linux. Unfortunately, it was
discovered that the fix did not fully address the issue. This update
removes the setgid permission bit from the wall and write utilities.
Original advisory details:
Skyler Ferrante discovered that the util-linux wall command did not filter
escape sequences from command line arguments. A local attacker could
possibly use this issue to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
util-linux 2.39.1-4ubuntu2.2
Ubuntu 22.04 LTS:
util-linux 2.37.2-4ubuntu3.4
Ubuntu 20.04 LTS:
util-linux 2.34-0.1ubuntu9.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6719-2
https://ubuntu.com/security/notices/USN-6719-1
CVE-2024-28085
Package Information:
https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.2
https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4
https://launchpad.net/ubuntu/+source/util-linux/2.34-0.1ubuntu9.6
[USN-6728-1] Squid vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6728-1
April 10, 2024
squid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
Details:
Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)
Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)
Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)
Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A remote attacker could possibly use this issue to cause Squid to
stop responding, resulting in a denial of service. (CVE-2024-25111)
Joshua Rogers discovered that Squid incorrectly handled HTTP header
parsing. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-25617)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
squid 6.1-2ubuntu1.3
Ubuntu 22.04 LTS:
squid 5.7-0ubuntu0.22.04.4
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.10
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6728-1
CVE-2023-49288, CVE-2023-5824, CVE-2024-23638, CVE-2024-25111,
CVE-2024-25617
Package Information:
https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.3
https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.4
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.10
[USN-6727-1] NSS vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6727-1
April 10, 2024
nss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in NSS.
Software Description:
- nss: Network Security Service library
Details:
It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)
It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)
It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)
The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libnss3 2:3.98-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
libnss3 2:3.98-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
libnss3 2:3.98-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-6727-1
CVE-2023-4421, CVE-2023-5388, CVE-2023-6135
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.20.04.1
