Ubuntu 6576 Published by

The following security updates have been released for Ubuntu Linux:

[USN-6937-1] OpenSSL vulnerabilities
[USN-6933-1] ClickHouse vulnerabilities
[USN-6939-1] Exim vulnerability
[USN-6936-1] Apache Commons Collections vulnerability
[USN-6913-2] phpCAS vulnerability




[USN-6937-1] OpenSSL vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6937-1
July 31, 2024

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL incorrectly handled TLSv1.3 sessions when
certain non-default TLS server configurations were in use. A remote
attacker could possibly use this issue to cause OpenSSL to consume
resources, leading to a denial of service. (CVE-2024-2511)

It was discovered that OpenSSL incorrectly handled checking excessively
long DSA keys or parameters. A remote attacker could possibly use this
issue to cause OpenSSL to consume resources, leading to a denial of
service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-4603)

William Ahern discovered that OpenSSL incorrectly handled certain memory
operations in a rarely-used API. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2024-4741)

Joseph Birr-Pixton discovered that OpenSSL incorrectly handled calling a
certain API with an empty supported client protocols buffer. A remote
attacker could possibly use this issue to obtain sensitive information, or
cause OpenSSL to crash, resulting in a denial of service. (CVE-2024-5535)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libssl3t64 3.0.13-0ubuntu3.2

Ubuntu 22.04 LTS
libssl3 3.0.2-0ubuntu1.17

Ubuntu 20.04 LTS
libssl1.1 1.1.1f-1ubuntu2.23

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6937-1
CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2024-5535

Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.2
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.17
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.23



[USN-6933-1] ClickHouse vulnerabilities


protected-headers="v1"
From: Shishir Subedi <shishir.subedi@canonical.com&rt;
Reply-To: Ubuntu Security <security@ubuntu.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <7f892bdc-aee5-4f39-9353-0a6507a16451@canonical.com&rt;
Subject: [USN-6933-1] ClickHouse vulnerabilities

--------------Y2Mys783xaZY4HN74Q3eEJq8

==========================================================================
Ubuntu Security Notice USN-6933-1
July 31, 2024

clickhouse vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in ClickHouse.

Software Description:
- clickhouse: column-oriented database system (cli client)

Details:

It was discovered that ClickHouse incorrectly handled memory, leading to a
heap out-of-bounds data read. An attacker could possibly use this issue to
cause a denial of service, or leak sensitive information.
(CVE-2021-42387, CVE-2021-41388)

It was discovered that ClickHouse incorrectly handled memory, leading to a
heap-based buffer overflow. An attacker could possibly use this issue to
cause a denial of service, or execute arbitrary code.
(CVE-2021-43304, CVE-2021-43305)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
clickhouse-common 18.16.1+ds-7ubuntu0.1
clickhouse-server 18.16.1+ds-7ubuntu0.1
clickhouse-tools 18.16.1+ds-7ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6933-1
CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305

Package Information:
https://launchpad.net/ubuntu/+source/clickhouse/18.16.1+ds-7ubuntu0.1

--------------Y2Mys783xaZY4HN74Q3eEJq8--



[USN-6939-1] Exim vulnerability


==========================================================================
Ubuntu Security Notice USN-6939-1
July 31, 2024

exim4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Exim could be made to bypass a MIME filename extension-blocking
protection mechanism if it received specially crafted input.

Software Description:
- exim4: Exim is a mail transport agent

Details:

Phillip Szelat discovered that Exim misparses multiline MIME header
filenames. A remote attacker could use this issue to bypass a MIME filename
extension-blocking protection mechanism and possibly deliver executable
attachments to the mailboxes of end users.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  exim4                           4.97-4ubuntu4.1
  exim4-base                      4.97-4ubuntu4.1
  eximon4                         4.97-4ubuntu4.1

Ubuntu 22.04 LTS
  exim4                           4.95-4ubuntu2.6
  exim4-base                      4.95-4ubuntu2.6
  eximon4                         4.95-4ubuntu2.6

Ubuntu 20.04 LTS
  exim4                           4.93-13ubuntu1.12
  exim4-base                      4.93-13ubuntu1.12
  eximon4                         4.93-13ubuntu1.12

Ubuntu 18.04 LTS
  exim4                           4.90.1-1ubuntu1.10+esm5
                                  Available with Ubuntu Pro
  exim4-base                      4.90.1-1ubuntu1.10+esm5
                                  Available with Ubuntu Pro
  eximon4                         4.90.1-1ubuntu1.10+esm5
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  exim4                           4.86.2-2ubuntu2.6+esm8
                                  Available with Ubuntu Pro
  exim4-base                      4.86.2-2ubuntu2.6+esm8
                                  Available with Ubuntu Pro
  eximon4                         4.86.2-2ubuntu2.6+esm8
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6939-1
  CVE-2024-39929

Package Information:
  https://launchpad.net/ubuntu/+source/exim4/4.97-4ubuntu4.1
  https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.6
  https://launchpad.net/ubuntu/+source/exim4/4.93-13ubuntu1.12



[USN-6936-1] Apache Commons Collections vulnerability


==========================================================================
Ubuntu Security Notice USN-6936-1
July 31, 2024

libcommons-collections3-java vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Apache Commons Collections could be made to execute arbitrary code if it
received specially crafted input.

Software Description:
- libcommons-collections3-java: Apache Commons Collections - Extended
Collections API for Java

Details:

It was discovered that Apache Commons Collections allowed serialization
support for unsafe classes by default. A remote attacker could possibly
use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
  libcommons-collections3-java    3.2.1-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6936-1
  CVE-2015-4852



[USN-6913-2] phpCAS vulnerability


==========================================================================
Ubuntu Security Notice USN-6913-2
July 31, 2024

php-cas vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

phpCAS was vulnerable to an authentication bypass.

Software Description:
- php-cas: Central Authentication Service client library in php

Details:

USN-6913-1 fixed CVE-2022-39369 for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
This update provides the corresponding fix for Ubuntu 16.04 LTS.

Original advisory details:

Filip Hejsek discovered that phpCAS was using HTTP headers to determine
the service URL used to validate tickets. A remote attacker could
possibly use this issue to gain access to a victim's account on a
vulnerable CASified service.

This security update introduces an incompatible API change. After applying
this update, third party applications need to be modified to pass in an
additional service base URL argument when constructing the client class.

For more information please refer to the section
"Upgrading 1.5.0 -&rt; 1.6.0" of the phpCAS upgrading document:

https://github.com/apereo/phpCAS/blob/master/docs/Upgrading

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
php-cas 1.3.3-2ubuntu1+esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6913-2
https://ubuntu.com/security/notices/USN-6913-1
CVE-2022-39369