Ubuntu 6614 Published by

The following three security updates are available for Ubuntu Linux:

[USN-6719-2] util-linux vulnerability
[USN-6728-1] Squid vulnerabilities
[USN-6727-1] NSS vulnerabilities




[USN-6719-2] util-linux vulnerability


==========================================================================
Ubuntu Security Notice USN-6719-2
April 10, 2024

util-linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

util-linux could be made to expose sensitive information.

Software Description:
- util-linux: miscellaneous system utilities

Details:

USN-6719-1 fixed a vulnerability in util-linux. Unfortunately, it was
discovered that the fix did not fully address the issue. This update
removes the setgid permission bit from the wall and write utilities.

Original advisory details:

Skyler Ferrante discovered that the util-linux wall command did not filter
escape sequences from command line arguments. A local attacker could
possibly use this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
util-linux 2.39.1-4ubuntu2.2

Ubuntu 22.04 LTS:
util-linux 2.37.2-4ubuntu3.4

Ubuntu 20.04 LTS:
util-linux 2.34-0.1ubuntu9.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6719-2
https://ubuntu.com/security/notices/USN-6719-1
CVE-2024-28085

Package Information:
https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.2
https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4
https://launchpad.net/ubuntu/+source/util-linux/2.34-0.1ubuntu9.6



[USN-6728-1] Squid vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6728-1
April 10, 2024

squid vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:
- squid: Web proxy cache server

Details:

Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)

Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)

Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)

Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A remote attacker could possibly use this issue to cause Squid to
stop responding, resulting in a denial of service. (CVE-2024-25111)

Joshua Rogers discovered that Squid incorrectly handled HTTP header
parsing. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-25617)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
squid 6.1-2ubuntu1.3

Ubuntu 22.04 LTS:
squid 5.7-0ubuntu0.22.04.4

Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6728-1
CVE-2023-49288, CVE-2023-5824, CVE-2024-23638, CVE-2024-25111,
CVE-2024-25617

Package Information:
https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.3
https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.4
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.10



[USN-6727-1] NSS vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6727-1
April 10, 2024

nss vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in NSS.

Software Description:
- nss: Network Security Service library

Details:

It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)

It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)

It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
libnss3 2:3.98-0ubuntu0.23.10.1

Ubuntu 22.04 LTS:
libnss3 2:3.98-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
libnss3 2:3.98-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-6727-1
CVE-2023-4421, CVE-2023-5388, CVE-2023-6135

Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.98-0ubuntu0.20.04.1