Skip to content

ubuntu jammy v1.486
Compare
Choose a tag to compare
@cf-bosh-ci-bot cf-bosh-ci-bot released this 02 Jul 01:45
ubuntu-jammy/v1.486
dc44e87

Metadata:

BOSH Agent Version: 2.663.0
Kernel Version: 5.15.0.113.113

USNs:

Title: USN-6847-1: libheif vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6847-1
Priorities: medium
Description:
It was discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-11471)

Reza Mirzazade Farkhani discovered that libheif incorrectly handled
certain image data. An attacker could possibly use this issue to crash the
program, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS. (CVE-2020-23109)

Eugene Lim discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-0996)

Min Jang discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2023-29659)

Yuchuan Meng discovered that libheif incorrectly handled certain image data.
An attacker could possibly use this issue to crash the program, resulting
in a denial of service. This issue only affected Ubuntu 23.10.
(CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464)
CVEs:

Title: USN-6842-1: gdb vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6842-1
Priorities: low
Description:
It was discovered that gdb incorrectly handled certain memory operations
when parsing an ELF file. An attacker could possibly use this issue
to cause a denial of service. This issue is the result of an
incomplete fix for CVE-2020-16599. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-4285)

It was discovered that gdb incorrectly handled memory leading
to a heap based buffer overflow. An attacker could use this
issue to cause a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS.
(CVE-2023-1972)

It was discovered that gdb incorrectly handled memory leading
to a stack overflow. An attacker could possibly use this issue
to cause a denial of service. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-39128)

It was discovered that gdb had a use after free vulnerability
under certain circumstances. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2023-39129)

It was discovered that gdb incorrectly handled memory leading to a
heap based buffer overflow. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-39130)
CVEs:

Title: USN-6809-1: BlueZ vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6809-1
Priorities: low,medium
Description:
It was discovered that BlueZ could be made to dereference invalid memory.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3563)

It was discovered that BlueZ could be made to write out of bounds. If a
user were tricked into connecting to a malicious device, an attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. (CVE-2023-27349)
CVEs:

Title: USN-6846-1: Ansible vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6846-1
Priorities: medium
Description:
It was discovered that Ansible incorrectly handled certain inputs when using
tower_callback parameter. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3697)

It was discovered that Ansible incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a Template Injection.
(CVE-2023-5764)
CVEs:

Title: USN-6854-1: OpenSSL vulnerability
URL: https://ubuntu.com/security/notices/USN-6854-1
Priorities: medium
Description:
It was discovered that OpenSSL failed to choose an appropriately short
private key size when computing shared-secrets in the Diffie-Hellman Key
Agreement Protocol. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, resulting in a denial of service.
CVEs:

Title: USN-6851-1: Netplan vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6851-1
Priorities: medium
Description:
Andreas Hasenack discovered that netplan incorrectly handled the permissions
for netdev files containing wireguard configuration. An attacker could use this to obtain
wireguard secret keys.

It was discovered that netplan configuration could be manipulated into injecting
arbitrary commands while setting up network interfaces. An attacker could
use this to execute arbitrary commands or escalate privileges.
CVEs:

Title: USN-6822-1: Node.js vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6822-1
Priorities: medium
Description:
It was discovered that Node.js incorrectly handled certain inputs when it is
using the policy mechanism. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to bypass the policy mechanism. (CVE-2023-32002, CVE-2023-32006)

It was discovered that Node.js incorrectly handled certain inputs when it is
using the policy mechanism. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a privilege escalation. (CVE-2023-32559)
CVEs:

Title: USN-6800-1: browserify-sign vulnerability
URL: https://ubuntu.com/security/notices/USN-6800-1
Priorities: medium
Description:
It was discovered that browserify-sign incorrectly handled an upper bound check
in signature verification. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a signature forgery attack.
CVEs:

Title: LSN-0104-1: Kernel Live Patch Security Notice
URL: https://ubuntu.com/security/notices/LSN-0104-1
Priorities: high
Description:
It was discovered that the ATA over Ethernet (AoE) driver in the Linux
kernel contained a race condition, leading to a use-after-free
vulnerability. An attacker could use this to cause a denial of service or
possibly execute arbitrary code.(CVE-2023-6270)

It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-51781)

In the Linux kernel, the following vulnerability has been
resolved: netfilter: nft_set_rbtree: skip end interval element from gc
rbtree lazy gc on insert might collect an end interval element that has
been just added in this transactions, skip end interval elements that are
not yet active.(CVE-2024-26581)

In the Linux kernel, the following vulnerability has been
resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-
bounds read when parsing the netlink attributes.(CVE-2024-26597)
CVEs:

Title: USN-6819-4: Linux kernel (Oracle) vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6819-4
Priorities: medium,low,high,negligible
Description:
Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel
did not properly validate H2C PDU data, leading to a null pointer
dereference vulnerability. A remote attacker could use this to cause a
denial of service (system crash). (CVE-2023-6356, CVE-2023-6535,
CVE-2023-6536)

Chenyuan Yang discovered that the RDS Protocol implementation in the Linux
kernel contained an out-of-bounds read vulnerability. An attacker could use
this to possibly cause a denial of service (system crash). (CVE-2024-23849)

It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a null pointer dereference vulnerability. A
privileged local attacker could use this to possibly cause a denial of
service (system crash). (CVE-2024-24860)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:

Title: USN-6805-1: libarchive vulnerability
URL: https://ubuntu.com/security/notices/USN-6805-1
Priorities: medium
Description:
It was discovered that libarchive incorrectly handled certain RAR archive files.
An attacker could possibly use this issue to execute arbitrary code
or cause a crash.
CVEs:

Title: USN-6844-1: CUPS vulnerability
URL: https://ubuntu.com/security/notices/USN-6844-1
Priorities: medium
Description:
Rory McNamara discovered that when starting the cupsd server with a
Listen configuration item, the cupsd process fails to validate if
bind call passed. An attacker could possibly trick cupsd to perform
an arbitrary chmod of the provided argument, providing world-writable
access to the target.
CVEs:

Title: USN-6801-1: PyMySQL vulnerability
URL: https://ubuntu.com/security/notices/USN-6801-1
Priorities: medium
Description:
It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An
attacker could possibly use this issue to perform SQL injection attacks.
CVEs:

Title: USN-6843-1: Plasma Workspace vulnerability
URL: https://ubuntu.com/security/notices/USN-6843-1
Priorities: medium
Description:
Fabian Vogt discovered that Plasma Workspace incorrectly handled
connections via ICE. A local attacker could possibly use this issue to
gain access to another user's session manager and execute arbitrary code.
CVEs:

Title: USN-6852-1: Wget vulnerability
URL: https://ubuntu.com/security/notices/USN-6852-1
Priorities: medium
Description:
It was discovered that Wget incorrectly handled semicolons in the userinfo
subcomponent of a URI. A remote attacker could possibly trick a user into
connecting to a different host than expected.
CVEs:

Title: USN-6798-1: GStreamer Base Plugins vulnerability
URL: https://ubuntu.com/security/notices/USN-6798-1
Priorities: medium
Description:
It was discovered that GStreamer Base Plugins incorrectly handled certain
EXIF metadata. An attacker could possibly use this issue to execute arbitrary
code or cause a crash.
CVEs:

Title: USN-6859-1: OpenSSH vulnerability
URL: https://ubuntu.com/security/notices/USN-6859-1
Priorities: high
Description:
It was discovered that OpenSSH incorrectly handled signal management. A
remote attacker could use this issue to bypass authentication and remotely
access systems without proper credentials.
CVEs:

What's Changed

  • Vary location of grub config if the stemcell is EFI or not by @selzoc in #362

New Contributors

Full Changelog: ubuntu-jammy/v1.351...ubuntu-jammy/v1.486

Contributors

selzoc
Assets 2
Loading