Ubuntu Security Advisories

USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic fix has been reverted pending further investigation. We apologize for the inconvenience. Original advisory details: Joshua Rogers discovered that Squid incorrectly handled collapsed forwarding. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288) Joshua Rogers discovered that Squid incorrectly handled certain structural elements. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-5824) Joshua Rogers discovered that Squid incorrectly handled Cache Manager error responses. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-23638) Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked decoder. A remote attacker could possibly use this issue to cause Squid to stop responding, resulting in a denial of service. (CVE-2024-25111) Joshua Rogers discovered that Squid incorrectly handled HTTP header parsing. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-25617)

Joshua Rogers discovered that Squid incorrectly handled collapsed forwarding. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288) Joshua Rogers discovered that Squid incorrectly handled certain structural elements. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-5824) Joshua Rogers discovered that Squid incorrectly handled Cache Manager error responses. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-23638) Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked decoder. A remote attacker could possibly use this issue to cause Squid to stop responding, resulting in a denial of service. (CVE-2024-25111) Joshua Rogers discovered that Squid incorrectly handled HTTP header parsing. A remote trusted client can possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2024-25617)

It was discovered that NSS incorrectly handled padding when checking PKCS#1 certificates. A remote attacker could possibly use this issue to perform Bleichenbacher-like attacks and recover private data. This issue only affected Ubuntu 20.04 LTS. (CVE-2023-4421) It was discovered that NSS had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover private data. (CVE-2023-5388) It was discovered that NSS had a timing side-channel when using certain NIST curves. A remote attacker could possibly use this issue to recover private data. (CVE-2023-6135) The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.98 which includes the latest CA certificate bundle and other security improvements.

USN-6719-1 fixed a vulnerability in util-linux. Unfortunately, it was discovered that the fix did not fully address the issue. This update removes the setgid permission bit from the wall and write utilities. Original advisory details: Skyler Ferrante discovered that the util-linux wall command did not filter escape sequences from command line arguments. A local attacker could possibly use this issue to obtain sensitive information.

USN-6721-1 fixed vulnerabilities in X.Org X Server. That fix was incomplete resulting in a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that X.Org X Server incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082) It was discovered that X.Org X Server incorrectly handled certain glyphs. An attacker could possibly use this issue to cause a crash or expose sensitive information. (CVE-2024-31083)

Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service (bluetooth communication). (CVE-2023-2002) It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-23000) It was discovered that Spectre-BHB mitigations were missing for Ampere processors. A local attacker could potentially use this to expose sensitive information. (CVE-2023-3006) It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-34256) Eric Dumazet discovered that the netfilter subsystem in the Linux kernel did not properly handle DCCP conntrack buffers in certain situations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2023-39197) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel did not properly handle device initialization failures in certain situations, leading to a use-after-free vulnerability. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2023-4132) Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51781) Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel did not properly handle connect command payloads in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information (kernel memory). (CVE-2023-6121) It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle the remount operation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2024-0775) Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1086) It was discovered that a race condition existed in the SCSI Emulex LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF and re-scanning an HBA FCF table, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-24855)

Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that the IPv6 implementation of the Linux kernel did not properly manage route cache memory usage. A remote attacker could use this to cause a denial of service (memory exhaustion). (CVE-2023-52340) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) Dan Carpenter discovered that the netfilter subsystem in the Linux kernel did not store data in properly sized memory locations. A local user could use this to cause a denial of service (system crash). (CVE-2024-0607) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Architecture specifics; - Cryptographic API; - Android drivers; - EDAC drivers; - GPU drivers; - Media drivers; - MTD block device drivers; - Network drivers; - NVME drivers; - TTY drivers; - Userspace I/O drivers; - F2FS file system; - GFS2 file system; - IPv6 Networking; - AppArmor security module; (CVE-2023-52464, CVE-2023-52448, CVE-2023-52457, CVE-2023-52443, CVE-2023-52439, CVE-2023-52612, CVE-2024-26633, CVE-2024-26597, CVE-2023-52449, CVE-2023-52444, CVE-2023-52609, CVE-2023-52469, CVE-2023-52445, CVE-2023-52451, CVE-2023-52470, CVE-2023-52454, CVE-2023-52436, CVE-2023-52438)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate certain data structure fields when parsing lease contexts, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-1194) Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel, leading to a use-after-free vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-32254) It was discovered that a race condition existed in the KSMBD implementation in the Linux kernel when handling session connections, leading to a use- after-free vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-32258) It was discovered that the KSMBD implementation in the Linux kernel did not properly validate buffer sizes in certain operations, leading to an integer underflow and out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-38427) Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate SMB request protocol IDs, leading to a out-of- bounds read vulnerability. A remote attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-38430) Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate packet header sizes in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-38431) It was discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information. (CVE-2023-3867) Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that the IPv6 implementation of the Linux kernel did not properly manage route cache memory usage. A remote attacker could use this to cause a denial of service (memory exhaustion). (CVE-2023-52340) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) Yang Chaoming discovered that the KSMBD implementation in the Linux kernel did not properly validate request buffer sizes, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2024-22705) Chenyuan Yang discovered that the btrfs file system in the Linux kernel did not properly handle read operations on newly created subvolumes in certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-23850) It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-24860) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Architecture specifics; - Block layer; - Cryptographic API; - Android drivers; - EDAC drivers; - GPU drivers; - Media drivers; - Multifunction device drivers; - MTD block device drivers; - Network drivers; - NVME drivers; - TTY drivers; - Userspace I/O drivers; - EFI Variable file system; - F2FS file system; - GFS2 file system; - SMB network file system; - BPF subsystem; - IPv6 Networking; - Network Traffic Control; - AppArmor security module; (CVE-2023-52463, CVE-2023-52445, CVE-2023-52462, CVE-2023-52609, CVE-2023-52448, CVE-2023-52457, CVE-2023-52464, CVE-2023-52456, CVE-2023-52454, CVE-2023-52438, CVE-2023-52480, CVE-2023-52443, CVE-2023-52442, CVE-2024-26631, CVE-2023-52439, CVE-2023-52612, CVE-2024-26598, CVE-2024-26586, CVE-2024-26589, CVE-2023-52444, CVE-2023-52436, CVE-2024-26633, CVE-2024-26597, CVE-2023-52458, CVE-2024-26591, CVE-2023-52449, CVE-2023-52467, CVE-2023-52441, CVE-2023-52610, CVE-2023-52451, CVE-2023-52469, CVE-2023-52470)

Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2023-50431) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate certain SMB messages, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6610) Yang Chaoming discovered that the KSMBD implementation in the Linux kernel did not properly validate request buffer sizes, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2024-22705) Chenyuan Yang discovered that the btrfs file system in the Linux kernel did not properly handle read operations on newly created subvolumes in certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-23850) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Android drivers; - Userspace I/O drivers; - F2FS file system; - SMB network file system; - Networking core; (CVE-2023-52434, CVE-2023-52436, CVE-2023-52435, CVE-2023-52439, CVE-2023-52438)

Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind icorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. (CVE-2023-50387) It was discovered that Bind incorrectly handled preparing an NSEC3 closest encloser proof. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. (CVE-2023-50868)

Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.

It was discovered that X.Org X Server incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. (CVE-2024-31080, CVE-2024-31081, CVE-2024-31082) It was discovered that X.Org X Server incorrectly handled certain glyphs. An attacker could possibly use this issue to cause a crash or expose sensitive information. (CVE-2024-31083)

USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Manfred Paul discovered that Firefox did not properly perform bounds checking during range analysis, leading to an out-of-bounds write vulnerability. A attacker could use this to cause a denial of service, or execute arbitrary code. (CVE-2024-29943) Manfred Paul discovered that Firefox incorrectly handled MessageManager listeners under certain circumstances. An attacker who was able to inject an event handler into a privileged object may have been able to execute arbitrary code. (CVE-2024-29944)

It was discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-1872) Lonial Con discovered that the netfilter subsystem in the Linux kernel contained a memory leak when handling certain element flush operations. A local attacker could use this to expose sensitive information (kernel memory).(CVE-2023-4569) It was discovered that the TLS subsystem in the Linux kernel did not properly perform cryptographic operations in some situations, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6176) It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-51781) Jann Horn discovered that the TLS subsystem in the Linux kernel did not properly handle spliced messages, leading to an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0646) Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)

Kentaro Kawane discovered that Cacti incorrectly handled user provided input sent through request parameters to the graph_view.php script. A remote authenticated attacker could use this issue to perform SQL injection attacks.

Lonial Con discovered that the netfilter subsystem in the Linux kernel did not properly handle element deactivation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1085) Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1086) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Network drivers; - PWM drivers; (CVE-2024-26597, CVE-2024-26599)

It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-23000) Quentin Minster discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests. A remote attacker could possibly use this to cause a denial of service (memory exhaustion). (CVE-2023-32247) Lonial Con discovered that the netfilter subsystem in the Linux kernel did not properly handle element deactivation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1085) Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1086) It was discovered that a race condition existed in the SCSI Emulex LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF and re-scanning an HBA FCF table, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-24855)

It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-22995) It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4134) 黄思聪 discovered that the NFC Controller Interface (NCI) implementation in the Linux kernel did not properly handle certain memory allocation failure conditions, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-46343) It was discovered that the io_uring subsystem in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-46862) It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51779) It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51782) Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel did not properly handle connect command payloads in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information (kernel memory). (CVE-2023-6121) It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2024-0340) Dan Carpenter discovered that the netfilter subsystem in the Linux kernel did not store data in properly sized memory locations. A local user could use this to cause a denial of service (system crash). (CVE-2024-0607)

It was discovered that unixODBC incorrectly handled certain bytes. An attacker could use this issue to execute arbitrary code or cause a crash.

Skyler Ferrante discovered that the util-linux wall command did not filter escape sequences from command line arguments. A local attacker could possibly use this issue to obtain sensitive information.