[USN-7299-2] X.Org X Server vulnerabilities
[USN-7336-1] GNU Chess vulnerability
[USN-7338-1] CRaC JDK 17 vulnerabilities
[USN-7339-1] CRaC JDK 21 vulnerabilities
[USN-7340-1] OpenVPN vulnerabilities
[USN-7299-2] X.Org X Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7299-2
March 10, 2025
xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in X.Org X Server.
Software Description:
- xorg-server: X.Org X11 server
- xorg-server-hwe-18.04: X.Org X11 server
- xorg-server-hwe-16.04: X.Org X11 server
Details:
USN-7299-1 fixed several vulnerabilities in X.Org. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
certain memory operations. An attacker could use these issues to cause the
X Server to crash, leading to a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
xserver-xorg-core 2:1.19.6-1ubuntu4.15+esm10
Available with Ubuntu Pro
xserver-xorg-core-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11+esm2
Available with Ubuntu Pro
xwayland 2:1.19.6-1ubuntu4.15+esm10
Available with Ubuntu Pro
xwayland-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
xserver-xorg-core 2:1.18.4-0ubuntu0.12+esm15
Available with Ubuntu Pro
xserver-xorg-core-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.6+esm7
Available with Ubuntu Pro
xwayland 2:1.18.4-0ubuntu0.12+esm15
Available with Ubuntu Pro
xwayland-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.6+esm7
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7299-2
https://ubuntu.com/security/notices/USN-7299-1
CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597,
CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601
[USN-7336-1] GNU Chess vulnerability
==========================================================================
Ubuntu Security Notice USN-7336-1
March 06, 2025
gnuchess vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
gnuchess could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gnuchess: Plays a game of chess, either against the user or against itself
Details:
Michael Vaughan discovered an overflow vulnerability in GNU Chess that
occurs when reading a specially crafted Portable Game Notation (PGN)
file. An attacker could possibly use this issue to cause GNU Chess to
crash, resulting in a denial of service, or the execution of arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
gnuchess 6.2.7-1+deb11u1build0.24.10.1
Ubuntu 24.04 LTS
gnuchess 6.2.7-1+deb11u1build0.24.04.1
Ubuntu 22.04 LTS
gnuchess 6.2.7-1+deb11u1build0.22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7336-1
CVE-2021-30184
Package Information:
https://launchpad.net/ubuntu/+source/gnuchess/6.2.7-1+deb11u1build0.24.10.1
https://launchpad.net/ubuntu/+source/gnuchess/6.2.7-1+deb11u1build0.24.04.1
https://launchpad.net/ubuntu/+source/gnuchess/6.2.7-1+deb11u1build0.22.04.1
[USN-7338-1] CRaC JDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7338-1
March 11, 2025
openjdk-17-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
Several security issues were fixed in CRaC JDK 17.
Software Description:
- openjdk-17-crac: Open Source Java implementation with Coordinated Restore
at Checkpoints
Details:
Andy Boothe discovered that the Networking component of CRaC JDK 17 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)
It was discovered that the Hotspot component of CRaC JDK 17 did not
properly handle vectorization under certain circumstances. An
unauthenticated attacker could possibly use this issue to access
unauthorized resources and expose sensitive information.
(CVE-2024-21210, CVE-2024-21235)
It was discovered that the Serialization component of CRaC JDK 17 did not
properly handle deserialization under certain circumstances. An
unauthenticated attacker could possibly use this issue to cause a denial
of service. (CVE-2024-21217)
It was discovered that the Hotspot component of CRaC JDK 17 did not
properly handle API access under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2025-21502)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://openjdk.org/groups/vulnerability/advisories/2025-01-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
openjdk-17-crac-jdk 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jdk-headless 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre-headless 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre-zero 17.0.14+7-0ubuntu1~24.10
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7338-1
CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235,
CVE-2025-21502
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.14+7-0ubuntu1~24.10
[USN-7339-1] CRaC JDK 21 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7339-1
March 11, 2025
openjdk-21-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
Several security issues were fixed in CRaC JDK 21.
Software Description:
- openjdk-21-crac: Open Source Java implementation with Coordinated Restore
at Checkpoints
Details:
Andy Boothe discovered that the Networking component of CRaC JDK 21 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)
It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle vectorization under certain circumstances. An
unauthenticated attacker could possibly use this issue to access
unauthorized resources and expose sensitive information.
(CVE-2024-21210, CVE-2024-21235)
It was discovered that the Serialization component of CRaC JDK 21 did not
properly handle deserialization under certain circumstances. An
unauthenticated attacker could possibly use this issue to cause a denial
of service. (CVE-2024-21217)
It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle API access under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2025-21502)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://openjdk.org/groups/vulnerability/advisories/2025-01-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
openjdk-21-crac-jdk 21.0.6+7-0ubuntu1~24.10
openjdk-21-crac-jdk-headless 21.0.6+7-0ubuntu1~24.10
openjdk-21-crac-jre 21.0.6+7-0ubuntu1~24.10
openjdk-21-crac-jre-headless 21.0.6+7-0ubuntu1~24.10
openjdk-21-crac-jre-zero 21.0.6+7-0ubuntu1~24.10
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7339-1
CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235,
CVE-2025-21502
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.6+7-0ubuntu1~24.10
[USN-7340-1] OpenVPN vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7340-1
March 11, 2025
openvpn vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenVPN.
Software Description:
- openvpn: virtual private network software
Details:
It was discovered that OpenVPN did not perform proper input validation
when generating a TLS key under certain configuration, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS. (CVE-2017-12166)
Reynir Björnsson discovered that OpenVPN incorrectly handled certain
control channel messages with nonprintable characters. A remote attacker
could possibly use this issue to cause OpenVPN to consume resources, or
fill up log files with garbage, leading to a denial of service.
(CVE-2024-5594)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
openvpn 2.4.4-2ubuntu1.7+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
openvpn 2.3.10-1ubuntu2.2+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
openvpn 2.3.2-7ubuntu3.2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7340-1
CVE-2017-12166, CVE-2024-5594
