Ubuntu 6286 Published by

The following updates are available for Ubuntu Linux:

[USN-6592-1] libssh vulnerabilities
[USN-6593-1] GnuTLS vulnerabilities
[USN-6587-2] X.Org X Server vulnerabilities
[USN-6591-1] Postfix vulnerability
[USN-6594-1] Squid vulnerabilities




[USN-6592-1] libssh vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6592-1
January 22, 2024

libssh vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libssh.

Software Description:
- libssh: A tiny C SSH library

Details:

It was discovered that libssh incorrectly handled the ProxyCommand and the
ProxyJump features. A remote attacker could possibly use this issue to
inject malicious code into the command of the features mentioned through
the hostname parameter. (CVE-2023-6004)

It was discovered that libssh incorrectly handled return codes when
performing message digest operations. A remote attacker could possibly use
this issue to cause libssh to crash, obtain sensitive information, or
execute arbitrary code. (CVE-2023-6918)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
libssh-4 0.10.5-3ubuntu1.2

Ubuntu 23.04:
libssh-4 0.10.4-2ubuntu0.3

Ubuntu 22.04 LTS:
libssh-4 0.9.6-2ubuntu0.22.04.3

Ubuntu 20.04 LTS:
libssh-4 0.9.3-2ubuntu2.5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6592-1
CVE-2023-6004, CVE-2023-6918

Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.10.5-3ubuntu1.2
https://launchpad.net/ubuntu/+source/libssh/0.10.4-2ubuntu0.3
https://launchpad.net/ubuntu/+source/libssh/0.9.6-2ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/libssh/0.9.3-2ubuntu2.5



[USN-6593-1] GnuTLS vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6593-1
January 22, 2024

gnutls28 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:
- gnutls28: GNU TLS library

Details:

It was discovered that GnuTLS had a timing side-channel when processing
malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could
possibly use this issue to recover sensitive information. (CVE-2024-0553)

It was discovered that GnuTLS incorrectly handled certain certificate
chains with a cross-signing loop. A remote attacker could possibly use this
issue to cause GnuTLS to crash, resulting in a denial of service. This
issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
(CVE-2024-0567)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
libgnutls30 3.8.1-4ubuntu1.2

Ubuntu 23.04:
libgnutls30 3.7.8-5ubuntu1.2

Ubuntu 22.04 LTS:
libgnutls30 3.7.3-4ubuntu1.4

Ubuntu 20.04 LTS:
libgnutls30 3.6.13-2ubuntu1.10

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6593-1
CVE-2024-0553, CVE-2024-0567

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.8.1-4ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.7.8-5ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.4
https://launchpad.net/ubuntu/+source/gnutls28/3.6.13-2ubuntu1.10



[USN-6587-2] X.Org X Server vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6587-2
January 22, 2024

xorg-server vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in X.Org X Server.

Software Description:
- xorg-server: X.Org X11 server

Details:

USN-6587-1 fixed several vulnerabilities in X.Org. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An
attacker could possibly use this issue to cause the X Server to crash,
obtain sensitive information, or execute arbitrary code. (CVE-2023-6816)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
reattaching to a different master device. An attacker could use this issue
to cause the X Server to crash, leading to a denial of service, or possibly
execute arbitrary code. (CVE-2024-0229)

Olivier Fourdan and Donn Seeley discovered that the X.Org X Server
incorrectly labeled GLX PBuffers when used with SELinux. An attacker could
use this issue to cause the X Server to crash, leading to a denial of
service. (CVE-2024-0408)

Olivier Fourdan discovered that the X.Org X Server incorrectly handled
the curser code when used with SELinux. An attacker could use this issue to
cause the X Server to crash, leading to a denial of service.
(CVE-2024-0409)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the XISendDeviceHierarchyEvent API. An attacker
could possibly use this issue to cause the X Server to crash, or execute
arbitrary code. (CVE-2024-21885)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
devices being disabled. An attacker could possibly use this issue to cause
the X Server to crash, or execute arbitrary code. (CVE-2024-21886)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm4
xwayland 2:1.19.6-1ubuntu4.15+esm4

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm9
xwayland 2:1.18.4-0ubuntu0.12+esm9

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6587-2
https://ubuntu.com/security/notices/USN-6587-1
CVE-2023-6816, CVE-2024-0229, CVE-2024-0408, CVE-2024-0409,
CVE-2024-21885, CVE-2024-21886



[USN-6591-1] Postfix vulnerability


==========================================================================
Ubuntu Security Notice USN-6591-1
January 22, 2024

postfix vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Postfix could allow bypass of email authentication if it received
specially crafted network traffic.

Software Description:
- postfix: High-performance mail transport agent

Details:

Timo Longin discovered that Postfix incorrectly handled certain email line
endings. A remote attacker could possibly use this issue to bypass an email
authentication mechanism, allowing domain spoofing and potential spamming.

Please note that certain configuration changes are required to address
this issue. They are not enabled by default for backward compatibility.
Information can be found at https://www.postfix.org/smtp-smuggling.html.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
postfix 3.8.1-2ubuntu0.1

Ubuntu 22.04 LTS:
postfix 3.6.4-1ubuntu1.2

Ubuntu 20.04 LTS:
postfix 3.4.13-0ubuntu1.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
postfix 3.3.0-1ubuntu0.4+esm2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
postfix 3.1.0-3ubuntu0.4+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
postfix 2.11.0-1ubuntu1.2+esm2

After a standard system update you need to enable
smtpd_forbid_bare_newline in your configuration and reload it to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6591-1
CVE-2023-51764, https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2049337

Package Information:
https://launchpad.net/ubuntu/+source/postfix/3.8.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/postfix/3.6.4-1ubuntu1.2
https://launchpad.net/ubuntu/+source/postfix/3.4.13-0ubuntu1.3



[USN-6594-1] Squid vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6594-1
January 23, 2024

squid vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:
- squid: Web proxy cache server

Details:

Joshua Rogers discovered that Squid incorrectly handled HTTP message
processing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49285)

Joshua Rogers discovered that Squid incorrectly handled Helper process
management. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49286)

Joshua Rogers discovered that Squid incorrectly handled HTTP request
parsing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-50269)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
squid 6.1-2ubuntu1.2

Ubuntu 23.04:
squid 5.7-1ubuntu3.2

Ubuntu 22.04 LTS:
squid 5.7-0ubuntu0.22.04.3

Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.9

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6594-1
CVE-2023-49285, CVE-2023-49286, CVE-2023-50269

Package Information:
https://launchpad.net/ubuntu/+source/squid/6.1-2ubuntu1.2
https://launchpad.net/ubuntu/+source/squid/5.7-1ubuntu3.2
https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.9