{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "core22", "snapd" ] }, "deb": { "added": [ "linux-headers-6.5.0-28", "linux-headers-6.5.0-28-generic", "linux-image-6.5.0-28-generic", "linux-modules-6.5.0-28-generic" ], "removed": [ "linux-headers-6.5.0-27", "linux-headers-6.5.0-27-generic", "linux-image-6.5.0-27-generic", "linux-modules-6.5.0-27-generic" ], "diff": [ "bsdextrautils", "bsdutils", "cloud-init", "cpio", "distro-info-data", "eject", "fdisk", "klibc-utils", "landscape-common", "less", "libblkid1:s390x", "libc-bin", "libc6:s390x", "libfdisk1:s390x", "libgnutls30:s390x", "libklibc:s390x", "libmount1:s390x", "libnghttp2-14:s390x", "libnss3:s390x", "libsmartcols1:s390x", "libuuid1:s390x", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "locales", "mount", "openssh-client", "openssh-server", "openssh-sftp-server", "snapd", "ubuntu-advantage-tools", "ubuntu-pro-client", "ubuntu-pro-client-l10n", "util-linux", "uuid-runtime" ] } }, "diff": { "deb": [ { "name": "bsdextrautils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "1:2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "1:2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "23.4.4-0ubuntu0~23.10.1", "version": "23.4.4-0ubuntu0~23.10.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~23.10.2", "version": "24.1.3-0ubuntu1~23.10.2" }, "cves": [], "launchpad_bugs_fixed": [ 2056100, 2056100, 2056100 ], "changes": [ { "cves": [], "log": [ "", " * cherry-pick 516fad6d: fix(url_helper): fix TCP connection leak on", " readurl() retries", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~23.10.2", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Brett Holman ", "date": "Mon, 08 Apr 2024 10:13:42 -0600" }, { "cves": [], "log": [ "", " * Upstream snapshot based on 24.1.3. (LP: #2056100).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.1.3/ChangeLog", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~23.10.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2056100 ], "author": "James Falcon ", "date": "Wed, 27 Mar 2024 08:37:16 -0500" }, { "cves": [], "log": [ "", " * refresh patches:", " - d/p/retain-ec2-default-net-update-events.patch", " * Upstream snapshot based on 24.1.2. (LP: #2056100).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.1.2/ChangeLog", "" ], "package": "cloud-init", "version": "24.1.2-0ubuntu1~23.10.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2056100 ], "author": "Chad Smith ", "date": "Thu, 21 Mar 2024 09:23:18 -0600" }, { "cves": [], "log": [ "", " * d/apport-general-hook.py: Move apport hook to main branch", " * d/cloud-init.maintscript: remove /etc/cloud/clean.d/README", " * d/cloud-init.logrotate: add logrotate config for cloud-init", " * d/cloud-init.templates: enable WSL datasource by default", " * d/p/keep-dhclient-as-priority-client.patch:", " - keep dhclient as default client", " * d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " - Retain systemd ordering cloud-config.service After=snapd.seeded.service", " * d/p/retain-ec2-default-net-update-events.patch:", " Reverts 4dbb08f5f0cc4f41cf9dd1474f0600a11510a3c9 to not change behavior", " on stable releases.", " * d/po/templates.pot: update for wsl", " * d/cloud-init.postinst: change priority of hotplug rules.", " Avoids LP #1946003 on upgraded systems. References:", " [0] https://github.com/canonical/cloud-init/pull/4799", " [1] commit/b519d861aff8b44a0610c176cb34adcbe28df144", " * refresh patches:", " - d/p/status-do-not-remove-duplicated-data.patch", " - d/p/status-retain-recoverable-error-exit-code.patch", " * Upstream snapshot based on 24.1.1. (LP: #2056100).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.1.1/ChangeLog", "" ], "package": "cloud-init", "version": "24.1.1-0ubuntu1~23.10.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2056100 ], "author": "Brett Holman ", "date": "Wed, 13 Mar 2024 16:42:43 -0600" } ], "notes": null }, { "name": "cpio", "from_version": { "source_package_name": "cpio", "source_package_version": "2.13+dfsg-7.1", "version": "2.13+dfsg-7.1" }, "to_version": { "source_package_name": "cpio", "source_package_version": "2.13+dfsg-7.1ubuntu0.1", "version": "2.13+dfsg-7.1ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-7207", "url": "https://ubuntu.com/security/CVE-2023-7207", "cve_description": "Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.", "cve_priority": "medium", "cve_public_date": "2024-02-29 01:42:00 UTC" }, { "cve": "CVE-2015-1197", "url": "https://ubuntu.com/security/CVE-2015-1197", "cve_description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", "cve_priority": "low", "cve_public_date": "2015-02-19 15:59:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-7207", "url": "https://ubuntu.com/security/CVE-2023-7207", "cve_description": "Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.", "cve_priority": "medium", "cve_public_date": "2024-02-29 01:42:00 UTC" }, { "cve": "CVE-2015-1197", "url": "https://ubuntu.com/security/CVE-2015-1197", "cve_description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", "cve_priority": "low", "cve_public_date": "2015-02-19 15:59:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path traversal vulnerability", " - debian/patches/CVE-2023-7207.patch: Create symlink placeholder", " if --no-absolute-filenames was given and replace placeholders", " after extraction.", " - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.", " - CVE-2023-7207", "" ], "package": "cpio", "version": "2.13+dfsg-7.1ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Fabian Toepfer ", "date": "Sun, 28 Apr 2024 14:32:00 +0200" } ], "notes": null }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.58ubuntu0.2", "version": "0.58ubuntu0.2" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.58ubuntu0.3", "version": "0.58ubuntu0.3" }, "cves": [], "launchpad_bugs_fixed": [ 2064136 ], "changes": [ { "cves": [], "log": [ "", " [ Santiago Ruano Rincón ]", " * Declare LTS and ELTS intentions for bullseye and bookworm", "", " [ Utkarsh Gupta ]", " * debian: Fix LTS EOL date for bullseye", "", " [ Jeremy Bícha ]", " * debian.csv: Fix EOL date for 2.2", "", " [ Benjamin Drung ]", " * Add Ubuntu 24.10 \"Oracular Oriole\" (LP: #2064136)", " * Update year in debian/copyright", " * Name autopkgtest \"up-to-date\"", "" ], "package": "distro-info-data", "version": "0.58ubuntu0.3", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2064136 ], "author": "Benjamin Drung ", "date": "Tue, 30 Apr 2024 12:54:48 +0200" } ], "notes": null }, { "name": "eject", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "klibc-utils", "from_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-1", "version": "2.0.13-1" }, "to_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-1ubuntu0.1", "version": "2.0.13-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2016-9840", "url": "https://ubuntu.com/security/CVE-2016-9840", "cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2016-9841", "url": "https://ubuntu.com/security/CVE-2016-9841", "cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2018-25032", "url": "https://ubuntu.com/security/CVE-2018-25032", "cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", "cve_priority": "medium", "cve_public_date": "2022-03-25 09:15:00 UTC" }, { "cve": "CVE-2022-37434", "url": "https://ubuntu.com/security/CVE-2022-37434", "cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", "cve_priority": "medium", "cve_public_date": "2022-08-05 07:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2016-9840", "url": "https://ubuntu.com/security/CVE-2016-9840", "cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2016-9841", "url": "https://ubuntu.com/security/CVE-2016-9841", "cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2018-25032", "url": "https://ubuntu.com/security/CVE-2018-25032", "cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", "cve_priority": "medium", "cve_public_date": "2022-03-25 09:15:00 UTC" }, { "cve": "CVE-2022-37434", "url": "https://ubuntu.com/security/CVE-2022-37434", "cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", "cve_priority": "medium", "cve_public_date": "2022-08-05 07:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: improper pointer arithmetic", " - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization", " in usr/klibc/zlib/inftrees.c.", " - CVE-2016-9840", " * SECURITY UPDATE: improper pointer arithmetic", " - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization", " in usr/klibc/zlib/inffast.c.", " - CVE-2016-9841", " * SECURITY UPDATE: memory corruption during compression", " - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash", " deflate on rare inputs when using Z_FIXED.", " - CVE-2018-25032", " * SECURITY UPDATE: heap-based buffer over-read", " - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check", " if state->head->extra_max is greater than len before copying, and moves", " the len assignment to be placed before the check in", " usr/klibc/zlib/inflate.c.", " - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the", " placement of the len assignment was causing issues so it was moved", " within the conditional check.", " - CVE-2022-37434", "" ], "package": "klibc", "version": "2.0.13-1ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Fri, 12 Apr 2024 15:52:21 +0300" } ], "notes": null }, { "name": "landscape-common", "from_version": { "source_package_name": "landscape-client", "source_package_version": "23.08-0ubuntu1", "version": "23.08-0ubuntu1" }, "to_version": { "source_package_name": "landscape-client", "source_package_version": "23.08-0ubuntu1.2", "version": "23.08-0ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2027613, 2040189, 2040924 ], "changes": [ { "cves": [], "log": [ "", " * avoid stopping services on upgrade (LP: #2027613)", " - d/rules: use default dh_installsystemd behaviour", " - d/landscape-client.service: check registration status before starting", " service", "" ], "package": "landscape-client", "version": "23.08-0ubuntu1.2", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2027613 ], "author": "Mitch Burton ", "date": "Mon, 22 Apr 2024 10:20:29 -0700" }, { "cves": [], "log": [ "", " * d/p/0001-start-service-during-config.patch: fix landscape-config does not", " start landscape-client service (LP: #2040189)", " * d/landscape-sysinfo.wrapper: fix handler using cache when permissions", " allow (LP: #2040924)", "" ], "package": "landscape-client", "version": "23.08-0ubuntu1.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2040189, 2040924 ], "author": "Mitch Burton ", "date": "Tue, 05 Mar 2024 10:55:35 -0800" } ], "notes": null }, { "name": "less", "from_version": { "source_package_name": "less", "source_package_version": "590-2ubuntu0.23.10.1", "version": "590-2ubuntu0.23.10.1" }, "to_version": { "source_package_name": "less", "source_package_version": "590-2ubuntu0.23.10.2", "version": "590-2ubuntu0.23.10.2" }, "cves": [ { "cve": "CVE-2024-32487", "url": "https://ubuntu.com/security/CVE-2024-32487", "cve_description": "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "cve_priority": "medium", "cve_public_date": "2024-04-13 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-32487", "url": "https://ubuntu.com/security/CVE-2024-32487", "cve_description": "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", "cve_priority": "medium", "cve_public_date": "2024-04-13 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Arbitrary command execution", " - debian/patches/CVE-2024-32487.patch: Fix bug when viewing a file", " whose name contains a newline.", " - CVE-2024-32487", "" ], "package": "less", "version": "590-2ubuntu0.23.10.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Fabian Toepfer ", "date": "Sat, 27 Apr 2024 22:24:28 +0200" } ], "notes": null }, { "name": "libblkid1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.1", "version": "2.38-1ubuntu6.1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.2", "version": "2.38-1ubuntu6.2" }, "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB write in iconv plugin ISO-2022-CN-EXT", " - debian/patches/CVE-2024-2961.patch: fix out-of-bound writes when", " writing escape sequence in iconvdata/Makefile,", " iconvdata/iso-2022-cn-ext.c, iconvdata/tst-iconv-iso-2022-cn-ext.c.", " - CVE-2024-2961", "" ], "package": "glibc", "version": "2.38-1ubuntu6.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 16 Apr 2024 09:38:28 -0400" } ], "notes": null }, { "name": "libc6:s390x", "from_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.1", "version": "2.38-1ubuntu6.1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.2", "version": "2.38-1ubuntu6.2" }, "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB write in iconv plugin ISO-2022-CN-EXT", " - debian/patches/CVE-2024-2961.patch: fix out-of-bound writes when", " writing escape sequence in iconvdata/Makefile,", " iconvdata/iso-2022-cn-ext.c, iconvdata/tst-iconv-iso-2022-cn-ext.c.", " - CVE-2024-2961", "" ], "package": "glibc", "version": "2.38-1ubuntu6.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 16 Apr 2024 09:38:28 -0400" } ], "notes": null }, { "name": "libfdisk1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "libgnutls30:s390x", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.1-4ubuntu1.2", "version": "3.8.1-4ubuntu1.2" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.1-4ubuntu1.3", "version": "3.8.1-4ubuntu1.3" }, "cves": [ { "cve": "CVE-2024-28834", "url": "https://ubuntu.com/security/CVE-2024-28834", "cve_description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.", "cve_priority": "medium", "cve_public_date": "2024-03-21 14:15:00 UTC" }, { "cve": "CVE-2024-28835", "url": "https://ubuntu.com/security/CVE-2024-28835", "cve_description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.", "cve_priority": "medium", "cve_public_date": "2024-03-21 06:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28834", "url": "https://ubuntu.com/security/CVE-2024-28834", "cve_description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.", "cve_priority": "medium", "cve_public_date": "2024-03-21 14:15:00 UTC" }, { "cve": "CVE-2024-28835", "url": "https://ubuntu.com/security/CVE-2024-28835", "cve_description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.", "cve_priority": "medium", "cve_public_date": "2024-03-21 06:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: side-channel leak via Minerva attack", " - debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in", " deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,", " lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,", " lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,", " tests/sign-verify-deterministic.c.", " - CVE-2024-28834", " * SECURITY UPDATE: crash via specially-crafted cert bundle", " - debian/patches/CVE-2024-28835.patch: remove length limit of input in", " lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,", " tests/test-chains.h.", " - CVE-2024-28835", "" ], "package": "gnutls28", "version": "3.8.1-4ubuntu1.3", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 12 Apr 2024 09:12:36 -0400" } ], "notes": null }, { "name": "libklibc:s390x", "from_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-1", "version": "2.0.13-1" }, "to_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-1ubuntu0.1", "version": "2.0.13-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2016-9840", "url": "https://ubuntu.com/security/CVE-2016-9840", "cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2016-9841", "url": "https://ubuntu.com/security/CVE-2016-9841", "cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2018-25032", "url": "https://ubuntu.com/security/CVE-2018-25032", "cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", "cve_priority": "medium", "cve_public_date": "2022-03-25 09:15:00 UTC" }, { "cve": "CVE-2022-37434", "url": "https://ubuntu.com/security/CVE-2022-37434", "cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", "cve_priority": "medium", "cve_public_date": "2022-08-05 07:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2016-9840", "url": "https://ubuntu.com/security/CVE-2016-9840", "cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2016-9841", "url": "https://ubuntu.com/security/CVE-2016-9841", "cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" }, { "cve": "CVE-2018-25032", "url": "https://ubuntu.com/security/CVE-2018-25032", "cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", "cve_priority": "medium", "cve_public_date": "2022-03-25 09:15:00 UTC" }, { "cve": "CVE-2022-37434", "url": "https://ubuntu.com/security/CVE-2022-37434", "cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", "cve_priority": "medium", "cve_public_date": "2022-08-05 07:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: improper pointer arithmetic", " - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization", " in usr/klibc/zlib/inftrees.c.", " - CVE-2016-9840", " * SECURITY UPDATE: improper pointer arithmetic", " - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization", " in usr/klibc/zlib/inffast.c.", " - CVE-2016-9841", " * SECURITY UPDATE: memory corruption during compression", " - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash", " deflate on rare inputs when using Z_FIXED.", " - CVE-2018-25032", " * SECURITY UPDATE: heap-based buffer over-read", " - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check", " if state->head->extra_max is greater than len before copying, and moves", " the len assignment to be placed before the check in", " usr/klibc/zlib/inflate.c.", " - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the", " placement of the len assignment was causing issues so it was moved", " within the conditional check.", " - CVE-2022-37434", "" ], "package": "klibc", "version": "2.0.13-1ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Fri, 12 Apr 2024 15:52:21 +0300" } ], "notes": null }, { "name": "libmount1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "libnghttp2-14:s390x", "from_version": { "source_package_name": "nghttp2", "source_package_version": "1.55.1-1ubuntu0.1", "version": "1.55.1-1ubuntu0.1" }, "to_version": { "source_package_name": "nghttp2", "source_package_version": "1.55.1-1ubuntu0.2", "version": "1.55.1-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-28182", "url": "https://ubuntu.com/security/CVE-2024-28182", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2024-04-04 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28182", "url": "https://ubuntu.com/security/CVE-2024-28182", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "cve_priority": "medium", "cve_public_date": "2024-04-04 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP/2 protocol denial of service", " - debian/patches/CVE-2024-28182-1.patch: Add", " nghttp2_option_set_max_continuations", " - debian/patches/CVE-2024-28182-2.patch: Limit CONTINUATION frames", " following an incoming HEADER frame", " - CVE-2024-28182", "" ], "package": "nghttp2", "version": "1.55.1-1ubuntu0.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Fabian Toepfer ", "date": "Wed, 17 Apr 2024 16:45:46 +0200" } ], "notes": null }, { "name": "libnss3:s390x", "from_version": { "source_package_name": "nss", "source_package_version": "2:3.92-1", "version": "2:3.92-1" }, "to_version": { "source_package_name": "nss", "source_package_version": "2:3.98-0ubuntu0.23.10.1", "version": "2:3.98-0ubuntu0.23.10.1" }, "cves": [ { "cve": "CVE-2023-5388", "url": "https://ubuntu.com/security/CVE-2023-5388", "cve_description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.", "cve_priority": "medium", "cve_public_date": "2024-03-19 12:15:00 UTC" }, { "cve": "CVE-2023-6135", "url": "https://ubuntu.com/security/CVE-2023-6135", "cve_description": "Multiple NSS NIST curves were susceptible to a side-channel attack known as \"Minerva\". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.", "cve_priority": "medium", "cve_public_date": "2023-12-19 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-5388", "url": "https://ubuntu.com/security/CVE-2023-5388", "cve_description": "NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.", "cve_priority": "medium", "cve_public_date": "2024-03-19 12:15:00 UTC" }, { "cve": "CVE-2023-6135", "url": "https://ubuntu.com/security/CVE-2023-6135", "cve_description": "Multiple NSS NIST curves were susceptible to a side-channel attack known as \"Minerva\". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.", "cve_priority": "medium", "cve_public_date": "2023-12-19 14:15:00 UTC" } ], "log": [ "", " * Updated to upstream 3.98 to fix security issues and get a new CA", " certificate bundle.", " - CVE-2023-5388: timing issue in RSA operations", " - CVE-2023-6135: side-channel in multiple NSS NIST curves", " * debian/libnss3.symbols: added new symbol.", "" ], "package": "nss", "version": "2:3.98-0ubuntu0.23.10.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 Mar 2024 09:44:10 -0400" } ], "notes": null }, { "name": "libsmartcols1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "libuuid1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.27.27", "version": "6.5.0.27.27" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.28.28", "version": "6.5.0.28.28" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-28", "" ], "package": "linux-meta", "version": "6.5.0.28.28", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:34:09 +0100" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.27.27", "version": "6.5.0.27.27" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.28.28", "version": "6.5.0.28.28" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-28", "" ], "package": "linux-meta", "version": "6.5.0.28.28", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:34:09 +0100" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.27.27", "version": "6.5.0.27.27" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.28.28", "version": "6.5.0.28.28" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-28", "" ], "package": "linux-meta", "version": "6.5.0.28.28", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:34:09 +0100" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.27.27", "version": "6.5.0.27.27" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.5.0.28.28", "version": "6.5.0.28.28" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.5.0-28", "" ], "package": "linux-meta", "version": "6.5.0.28.28", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:34:09 +0100" } ], "notes": null }, { "name": "locales", "from_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.1", "version": "2.38-1ubuntu6.1" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.38-1ubuntu6.2", "version": "2.38-1ubuntu6.2" }, "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-2961", "url": "https://ubuntu.com/security/CVE-2024-2961", "cve_description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", "cve_priority": "medium", "cve_public_date": "2024-04-17 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB write in iconv plugin ISO-2022-CN-EXT", " - debian/patches/CVE-2024-2961.patch: fix out-of-bound writes when", " writing escape sequence in iconvdata/Makefile,", " iconvdata/iso-2022-cn-ext.c, iconvdata/tst-iconv-iso-2022-cn-ext.c.", " - CVE-2024-2961", "" ], "package": "glibc", "version": "2.38-1ubuntu6.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 16 Apr 2024 09:38:28 -0400" } ], "notes": null }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.2", "version": "1:9.3p1-1ubuntu3.2" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.3", "version": "1:9.3p1-1ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2053146 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gssapi.patch: fix method_gsskeyex structure and", " userauth_gsskeyex function regarding changes introduced in upstream", " commit dbb339f015c33d63484261d140c84ad875a9e548 (\"prepare for", " multiple names for authmethods\") (LP: #2053146)", " * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic", " and gssapi-keyex authentication methods", "" ], "package": "openssh", "version": "1:9.3p1-1ubuntu3.3", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2053146 ], "author": "Andreas Hasenack ", "date": "Fri, 15 Mar 2024 17:25:30 -0300" } ], "notes": null }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.2", "version": "1:9.3p1-1ubuntu3.2" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.3", "version": "1:9.3p1-1ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2053146 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gssapi.patch: fix method_gsskeyex structure and", " userauth_gsskeyex function regarding changes introduced in upstream", " commit dbb339f015c33d63484261d140c84ad875a9e548 (\"prepare for", " multiple names for authmethods\") (LP: #2053146)", " * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic", " and gssapi-keyex authentication methods", "" ], "package": "openssh", "version": "1:9.3p1-1ubuntu3.3", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2053146 ], "author": "Andreas Hasenack ", "date": "Fri, 15 Mar 2024 17:25:30 -0300" } ], "notes": null }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.2", "version": "1:9.3p1-1ubuntu3.2" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.3p1-1ubuntu3.3", "version": "1:9.3p1-1ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2053146 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gssapi.patch: fix method_gsskeyex structure and", " userauth_gsskeyex function regarding changes introduced in upstream", " commit dbb339f015c33d63484261d140c84ad875a9e548 (\"prepare for", " multiple names for authmethods\") (LP: #2053146)", " * d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic", " and gssapi-keyex authentication methods", "" ], "package": "openssh", "version": "1:9.3p1-1ubuntu3.3", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2053146 ], "author": "Andreas Hasenack ", "date": "Fri, 15 Mar 2024 17:25:30 -0300" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.61.3+23.10", "version": "2.61.3+23.10" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.62+23.10", "version": "2.62+23.10" }, "cves": [], "launchpad_bugs_fixed": [ 2058277, 2039017 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2058277", " - Aspects based configuration schema support (experimental)", " - Refresh app awareness support for UI (experimental)", " - Support for user daemons by introducing new control switches", " --user/--system/--users for service start/stop/restart", " (experimental)", " - Add AppArmor prompting experimental flag (feature currently", " unsupported)", " - Installation of local snap components of type test", " - Packaging of components with snap pack", " - Expose experimental features supported/enabled in snapd REST API", " endpoint /v2/system-info", " - Support creating and removing recovery systems for use by factory", " reset", " - Enable API route for creating and removing recovery systems using", " /v2/systems with action create and /v2/systems/{label} with action", " remove", " - Lift requirements for fde-setup hook for single boot install", " - Enable single reboot gadget update for UC20+", " - Allow core to be removed on classic systems", " - Support for remodeling on hybrid systems", " - Install desktop files on Ubuntu Core and update after snapd", " upgrade", " - Upgrade sandbox features to account for cgroup v2 device filtering", " - Support snaps to manage their own cgroups", " - Add support for AppArmor 4.0 unconfined profile mode", " - Add AppArmor based read access to /etc/default/keyboard", " - Upgrade to squashfuse 0.5.0", " - Support useradd utility to enable removing Perl dependency for", " UC24+", " - Support for recovery-chooser to use console-conf snap", " - Add support for --uid/--gid using strace-static", " - Add support for notices (from pebble) and expose via the snapd", " REST API endpoints /v2/notices and /v2/notice", " - Add polkit authentication for snapd REST API endpoints", " /v2/snaps/{snap}/conf and /v2/apps", " - Add refresh-inhibit field to snapd REST API endpoint /v2/snaps", " - Add refresh-inhibited select query to REST API endpoint /v2/snaps", " - Take into account validation sets during remodeling", " - Improve offline remodeling to use installed revisions of snaps to", " fulfill the remodel revision requirement", " - Add rpi configuration option sdtv_mode", " - When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if", " present on host", " - Fix gadget zero-sized disk mapping caused by not ignoring zero", " sized storage traits", " - Fix gadget install case where size of existing partition was not", " correctly taken into account", " - Fix trying to unmount early kernel mount if it does not exist", " - Fix restarting mount units on snapd start", " - Fix call to udev in preseed mode", " - Fix to ensure always setting up the device cgroup for base bare", " and core24+", " - Fix not copying data from newly set homedirs on revision change", " - Fix leaving behind empty snap home directories after snap is", " removed (resulting in broken symlink)", " - Fix to avoid using libzstd from host by adding to snapd snap", " - Fix autorefresh to correctly handle forever refresh hold", " - Fix username regex allowed for system-user assertion to not allow", " '+'", " - Fix incorrect application icon for notification after autorefresh", " completion", " - Fix to restart mount units when changed", " - Fix to support AppArmor running under incus", " - Fix case of snap-update-ns dropping synthetic mounts due to", " failure to match desired mount dependencies", " - Fix parsing of base snap version to enable pre-seeding of Ubuntu", " Core Desktop", " - Fix packaging and tests for various distributions", " - Add remoteproc interface to allow developers to interact with", " Remote Processor Framework which enables snaps to load firmware to", " ARM Cortex microcontrollers", " - Add kernel-control interface to enable controlling the kernel", " firmware search path", " - Add nfs-mount interface to allow mounting of NFS shares", " - Add ros-opt-data interface to allow snaps to access the host", " /opt/ros/ paths", " - Add snap-refresh-observe interface that provides refresh-app-", " awareness clients access to relevant snapd API endpoints", " - steam-support interface: generalize Pressure Vessel root paths and", " allow access to driver information, features and container", " versions", " - steam-support interface: make implicit on Ubuntu Core Desktop", " - desktop interface: improved support for Ubuntu Core Desktop and", " limit autoconnection to implicit slots", " - cups-control interface: make autoconnect depend on presence of", " cupsd on host to ensure it works on classic systems", " - opengl interface: allow read access to /usr/share/nvidia", " - personal-files interface: extend to support automatic creation of", " missing parent directories in write paths", " - network-control interface: allow creating /run/resolveconf", " - network-setup-control and network-setup-observe interfaces: allow", " busctl bind as required for systemd 254+", " - libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-", " ro and read access to /var/lib/libvirt/dnsmasq/**", " - fwupd interface: allow access to IMPI devices (including locking", " of device nodes), sysfs attributes needed by amdgpu and the COD", " capsule update directory", " - uio interface: allow configuring UIO drivers from userspace", " libraries", " - serial-port interface: add support for NXP Layerscape SoC", " - lxd-support interface: add attribute enable-unconfined-mode to", " require LXD to opt-in to run unconfined", " - block-devices interface: add support for ZFS volumes", " - system-packages-doc interface: add support for reading jquery and", " sphinx documentation", " - system-packages-doc interface: workaround to prevent autoconnect", " failure for snaps using base bare", " - microceph-support interface: allow more types of block devices to", " be added as an OSD", " - mount-observe interface: allow read access to", " /proc/{pid}/task/{tid}/mounts and proc/{pid}/task/{tid}/mountinfo", " - polkit interface: changed to not be implicit on core because", " installing policy files is not possible", " - upower-observe interface: allow stats refresh", " - gpg-public-keys interface: allow creating lock file for certain", " gpg operations", " - shutdown interface: allow access to SetRebootParameter method", " - media-control interface: allow device file locking", " - u2f-devices interface: support for Trustkey G310H, JaCarta U2F,", " Kensington VeriMark Guard, RSA DS100, Google Titan v2", "" ], "package": "snapd", "version": "2.62+23.10", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2058277 ], "author": "Ernest Lotter ", "date": "Thu, 21 Mar 2024 22:06:09 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2039017", " - Install systemd files in correct location for 24.04", "" ], "package": "snapd", "version": "2.61.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2039017 ], "author": "Ernest Lotter ", "date": "Wed, 06 Mar 2024 23:18:11 +0200" } ], "notes": null }, { "name": "ubuntu-advantage-tools", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2~23.10", "version": "31.2~23.10" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~23.10", "version": "31.2.3~23.10" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to mantic (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~23.10", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:09:10 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2~23.10", "version": "31.2~23.10" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~23.10", "version": "31.2.3~23.10" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to mantic (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~23.10", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:09:10 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2~23.10", "version": "31.2~23.10" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "31.2.3~23.10", "version": "31.2.3~23.10" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059952, 2059952, 2057937 ], "changes": [ { "cves": [], "log": [ "", " * Backport new upstream release to mantic (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3~23.10", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Fri, 05 Apr 2024 10:09:10 -0300" }, { "cves": [], "log": [ "", " * daemon: wait for cloud-init.service to fully activate (LP: #2059952)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2059952 ], "author": "Lucas Moura ", "date": "Tue, 02 Apr 2024 10:13:32 -0300" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:29 +0000" }, { "cves": [], "log": [ "", " * version.py: fix internal version to match ubuntu package version (it was", " missed in the previous upload, so 31.2.1 is \"burned\" now)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Sun, 24 Mar 2024 10:52:02 -0300" }, { "cves": [], "log": [ "", " * apt-news.service: ignore apparmor errors when starting (LP: #2057937)", "" ], "package": "ubuntu-advantage-tools", "version": "31.2.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2057937 ], "author": "Andreas Hasenack ", "date": "Tue, 19 Mar 2024 11:02:58 -0300" } ], "notes": null }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null }, { "name": "uuid-runtime", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.1", "version": "2.39.1-4ubuntu2.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.1-4ubuntu2.2", "version": "2.39.1-4ubuntu2.2" }, "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-28085", "url": "https://ubuntu.com/security/CVE-2024-28085", "cve_description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "cve_priority": "medium", "cve_public_date": "2024-03-27 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Improper neutralization of escape sequences in wall", " - debian/rules: build with --disable-use-tty-group to properly remove", " setgid bit from both wall and write.", " - CVE-2024-28085", "" ], "package": "util-linux", "version": "2.39.1-4ubuntu2.2", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 09 Apr 2024 11:31:56 -0400" } ], "notes": null } ], "snap": [ { "name": "core22", "from_version": { "source_package_name": null, "source_package_version": null, "version": "1123" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "1382" } }, { "name": "snapd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "21187" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "21468" } } ] }, "added": { "deb": [ { "name": "linux-headers-6.5.0-28", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.5.0-28.29", "version": "6.5.0-28.29" }, "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * mantic/linux: 6.5.0-28.29 -proposed tracker (LP: #2059706)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * Mantic update: upstream stable patchset 2024-03-27 (LP: #2059284) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2024-26581", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26591", " - bpf: Fix re-attachment branch in bpf_tracing_prog_attach", "", " * iwlwifi disconnect and crash - intel wifi7 (LP: #2058808)", " - wifi: iwlwifi: pcie: fix RB status reading", "" ], "package": "linux", "version": "6.5.0-28.29", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:28:42 +0100" } ], "notes": "linux-headers-6.5.0-28 version '6.5.0-28.29' (source package linux version '6.5.0-28.29') was added. linux-headers-6.5.0-28 version '6.5.0-28.29' has the same source package name, linux, as removed package linux-headers-6.5.0-27. As such we can use the source package version of the removed package, '6.5.0-27.28', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-6.5.0-28-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.5.0-28.29", "version": "6.5.0-28.29" }, "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * mantic/linux: 6.5.0-28.29 -proposed tracker (LP: #2059706)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * Mantic update: upstream stable patchset 2024-03-27 (LP: #2059284) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2024-26581", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26591", " - bpf: Fix re-attachment branch in bpf_tracing_prog_attach", "", " * iwlwifi disconnect and crash - intel wifi7 (LP: #2058808)", " - wifi: iwlwifi: pcie: fix RB status reading", "" ], "package": "linux", "version": "6.5.0-28.29", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:28:42 +0100" } ], "notes": "linux-headers-6.5.0-28-generic version '6.5.0-28.29' (source package linux version '6.5.0-28.29') was added. linux-headers-6.5.0-28-generic version '6.5.0-28.29' has the same source package name, linux, as removed package linux-headers-6.5.0-27. As such we can use the source package version of the removed package, '6.5.0-27.28', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.5.0-28-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.5.0-27.28", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.5.0-28.29", "version": "6.5.0-28.29" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.5.0-28.29", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.5.0-28.29", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:34:23 +0100" } ], "notes": "linux-image-6.5.0-28-generic version '6.5.0-28.29' (source package linux-signed version '6.5.0-28.29') was added. linux-image-6.5.0-28-generic version '6.5.0-28.29' has the same source package name, linux-signed, as removed package linux-image-6.5.0-27-generic. As such we can use the source package version of the removed package, '6.5.0-27.28', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.5.0-28-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.5.0-28.29", "version": "6.5.0-28.29" }, "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "changes": [ { "cves": [ { "cve": "CVE-2023-52600", "url": "https://ubuntu.com/security/CVE-2023-52600", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2023-52603", "url": "https://ubuntu.com/security/CVE-2023-52603", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: UBSAN: array-index-out-of-bounds in dtSplitRoot Syzkaller reported the following issue: oop0: detected capacity change from 0 to 32768 UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9 index -2 is out of range for type 'struct dtslot [128]' CPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283 dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971 dtSplitUp fs/jfs/jfs_dtree.c:985 [inline] dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863 jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270 vfs_mkdir+0x3b3/0x590 fs/namei.c:4013 do_mkdirat+0x279/0x550 fs/namei.c:4038 __do_sys_mkdirat fs/namei.c:4053 [inline] __se_sys_mkdirat fs/namei.c:4051 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcdc0113fd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0 R10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000 R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000 The issue is caused when the value of fsi becomes less than -1. The check to break the loop when fsi value becomes -1 is present but syzbot was able to produce value less than -1 which cause the error. This patch simply add the change for the values less than 0. The patch is tested via syzbot.", "cve_priority": "medium", "cve_public_date": "2024-03-06 07:15:00 UTC" }, { "cve": "CVE-2024-26581", "url": "https://ubuntu.com/security/CVE-2024-26581", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.", "cve_priority": "medium", "cve_public_date": "2024-02-20 13:15:00 UTC" }, { "cve": "CVE-2024-26589", "url": "https://ubuntu.com/security/CVE-2024-26589", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with \"R7 pointer arithmetic on flow_keys prohibited\".", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" }, { "cve": "CVE-2024-26591", "url": "https://ubuntu.com/security/CVE-2024-26591", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: 1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3 In the end we have: - prog->aux->dst_trampoline == NULL - tgt_prog == NULL (because we did not provide target_fd to link_create) - prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X) - the program was loaded for tgt_prog but we have no way to find out which one BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Return -EINVAL in this situation.", "cve_priority": "medium", "cve_public_date": "2024-02-22 17:15:00 UTC" } ], "log": [ "", " * mantic/linux: 6.5.0-28.29 -proposed tracker (LP: #2059706)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] drop getabis data", "", " * Remove getabis scripts (LP: #2059143)", " - [Packaging] Remove getabis", "", " * CVE-2023-52600", " - jfs: fix uaf in jfs_evict_inode", "", " * Mantic update: upstream stable patchset 2024-03-27 (LP: #2059284) //", " CVE-2023-52603", " - UBSAN: array-index-out-of-bounds in dtSplitRoot", "", " * CVE-2024-26581", " - netfilter: nft_set_rbtree: skip end interval element from gc", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26589", " - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS", "", " * Mantic update: upstream stable patchset 2024-03-07 (LP: #2056403) //", " CVE-2024-26591", " - bpf: Fix re-attachment branch in bpf_tracing_prog_attach", "", " * iwlwifi disconnect and crash - intel wifi7 (LP: #2058808)", " - wifi: iwlwifi: pcie: fix RB status reading", "" ], "package": "linux", "version": "6.5.0-28.29", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2059706, 1786013, 2059143, 2059284, 2056403, 2056403, 2058808 ], "author": "Manuel Diewald ", "date": "Thu, 28 Mar 2024 19:28:42 +0100" } ], "notes": "linux-modules-6.5.0-28-generic version '6.5.0-28.29' (source package linux version '6.5.0-28.29') was added. linux-modules-6.5.0-28-generic version '6.5.0-28.29' has the same source package name, linux, as removed package linux-headers-6.5.0-27. As such we can use the source package version of the removed package, '6.5.0-27.28', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.5.0-27", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": "6.5.0-27.28" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-6.5.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": "6.5.0-27.28" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.5.0-27-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.5.0-27.28", "version": "6.5.0-27.28" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.5.0-27-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.5.0-27.28", "version": "6.5.0-27.28" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 23.10 mantic image from release image serial 20240410 to 20240508", "from_series": "mantic", "to_series": "mantic", "from_serial": "20240410", "to_serial": "20240508", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }