Ubuntu 6599 Published by

New updates are available for Ubuntu Linux, addressing two regressions and one security issue:

[USN-6851-2] Netplan regression
[USN-6844-2] CUPS regression
[USN-6860-1] OpenVPN vulnerabilities




[USN-6851-2] Netplan regression


==========================================================================
Ubuntu Security Notice USN-6851-2
June 28, 2024

netplan.io regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

USN-6851-1 caused systemctl enable to fail

Software Description:
- netplan.io: Declarative network configuration for various backends

Details:

USN-6851-1 fixed vulnerabilities in Netplan. The update lead to the
discovery of
a regression in netplan which caused systemctl enable to fail on systems
without
dbus. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Andreas Hasenack discovered that netplan incorrectly handled the permissions
for netdev files containing wireguard configuration. An attacker could use
this to obtain wireguard secret keys.

It was discovered that netplan configuration could be manipulated into
injecting
arbitrary commands while setting up network interfaces. An attacker could
use this to execute arbitrary commands or escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libnetplan1 1.0-2ubuntu1.2
netplan-generator 1.0-2ubuntu1.2
netplan.io 1.0-2ubuntu1.2

Ubuntu 23.10
libnetplan0 0.107-5ubuntu0.4
netplan-generator 0.107-5ubuntu0.4
netplan.io 0.107-5ubuntu0.4

Ubuntu 22.04 LTS
libnetplan0 0.106.1-7ubuntu0.22.04.4
netplan.io 0.106.1-7ubuntu0.22.04.4

Ubuntu 20.04 LTS
libnetplan0 0.104-0ubuntu2~20.04.6
netplan.io 0.104-0ubuntu2~20.04.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6851-2
https://ubuntu.com/security/notices/USN-6851-1
https://launchpad.net/bugs/2071333

Package Information:
https://launchpad.net/ubuntu/+source/netplan.io/1.0-2ubuntu1.2
https://launchpad.net/ubuntu/+source/netplan.io/0.107-5ubuntu0.4
https://launchpad.net/ubuntu/+source/netplan.io/0.106.1-7ubuntu0.22.04.4
https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2~20.04.6



[USN-6844-2] CUPS regression


==========================================================================

Ubuntu Security Notice USN-6844-2
June 28, 2024

cups regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-6844-1 caused the cupsd daemon to never start

Software Description:
- cups: Common UNIX Printing System(tm)

Details:

USN-6844-1 fixed vulnerabilities in the CUPS package. The update
lead to the discovery of a regression in CUPS with regards to
how the cupsd daemon handles Listen configuration directive.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:
Rory McNamara discovered that when starting the cupsd server with a
Listen configuration item, the cupsd process fails to validate if
bind call passed. An attacker could possibly trick cupsd to perform
an arbitrary chmod of the provided argument, providing world-writable
access to the target.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  cups                            2.4.7-1.2ubuntu7.2
  cups-daemon                     2.4.7-1.2ubuntu7.2

Ubuntu 23.10
  cups                            2.4.6-0ubuntu3.2
  cups-daemon                     2.4.6-0ubuntu3.2

Ubuntu 22.04 LTS
  cups                            2.4.1op1-1ubuntu4.10
  cups-daemon                     2.4.1op1-1ubuntu4.10

Ubuntu 20.04 LTS
  cups                            2.3.1-9ubuntu1.8
  cups-daemon                     2.3.1-9ubuntu1.8

Ubuntu 18.04 LTS
  cups                            2.2.7-1ubuntu2.10+esm5
                                  Available with Ubuntu Pro
  cups-daemon                     2.2.7-1ubuntu2.10+esm5
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  cups                            2.1.3-4ubuntu0.11+esm7
                                  Available with Ubuntu Pro
  cups-daemon                     2.1.3-4ubuntu0.11+esm7
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6844-2
( https://ubuntu.com/security/notices/USN-6844-2)
https://ubuntu.com/security/notices/USN-6844-1
( https://ubuntu.com/security/notices/USN-6844-1)
https://launchpad.net/bugs/2070315 ( https://launchpad.net/bugs/2070315)

Package Information:
https://launchpad.net/ubuntu/+source/cups/2.4.7-1.2ubuntu7.2
( https://launchpad.net/ubuntu/+source/cups/2.4.7-1.2ubuntu7.2)
https://launchpad.net/ubuntu/+source/cups/2.4.6-0ubuntu3.2
( https://launchpad.net/ubuntu/+source/cups/2.4.6-0ubuntu3.2)
https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.10
( https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.10)
https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.8
( https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.8)



[USN-6860-1] OpenVPN vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6860-1
July 02, 2024

openvpn vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenVPN.

Software Description:
- openvpn: virtual private network software

Details:

Reynir Björnsson discovered that OpenVPN incorrectly handled terminating
client connections. A remote authenticated client could possibly use this
issue to keep the connection active, bypassing certain security policies.
This issue only affected Ubuntu 23.10, and Ubuntu 24.04 LTS.
(CVE-2024-28882)

Reynir Björnsson discovered that OpenVPN incorrectly handled certain
control channel messages with nonprintable characters. A remote attacker
could possibly use this issue to cause OpenVPN to consume resources, or
fill up log files with garbage, leading to a denial of service.
(CVE-2024-5594)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openvpn 2.6.9-1ubuntu4.1

Ubuntu 23.10
openvpn 2.6.5-0ubuntu1.2

Ubuntu 22.04 LTS
openvpn 2.5.9-0ubuntu0.22.04.3

Ubuntu 20.04 LTS
openvpn 2.4.12-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6860-1
CVE-2024-28882, CVE-2024-5594

Package Information:
https://launchpad.net/ubuntu/+source/openvpn/2.6.9-1ubuntu4.1
https://launchpad.net/ubuntu/+source/openvpn/2.6.5-0ubuntu1.2
https://launchpad.net/ubuntu/+source/openvpn/2.5.9-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/openvpn/2.4.12-0ubuntu0.20.04.2