Release ubuntu jammy v1.147 · cloudfoundry/bosh-linux-stemcell-builder

Metadata:

BOSH Agent Version: 2.548.0

USNs:

Title: USN-6180-1: VLC media player vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6180-1
Priorities: low,medium
Description:
It was discovered that VLC could be made to read out of bounds when
decoding image files. If a user were tricked into opening a crafted image
file, a remote attacker could possibly use this issue to cause VLC to
crash, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-19721)

It was discovered that VLC could be made to write out of bounds when
processing H.264 video files. If a user were tricked into opening a
crafted H.264 video file, a remote attacker could possibly use this issue
to cause VLC to crash, leading to a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-13428)

It was discovered that VLC could be made to read out of bounds when
processing AVI video files. If a user were tricked into opening a crafted
AVI video file, a remote attacker could possibly use this issue to cause
VLC to crash, leading to a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-25801,
CVE-2021-25802, CVE-2021-25803, CVE-2021-25804)

It was discovered that the VNC module of VLC contained an arithmetic
overflow. If a user were tricked into opening a crafted playlist or
connecting to a rouge VNC server, a remote attacker could possibly use
this issue to cause VLC to crash, leading to a denial of service, or
possibly execute arbitrary code. (CVE-2022-41325)
CVEs:

Title: USN-6163-1: pano13 vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6163-1
Priorities: medium
Description:
It was discovered that pano13 did not properly validate the prefix provided
for PTcrop's output. An attacker could use this issue to cause pano13 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-20307)

It was discovered that pano13 did not properly handle certain crafted TIFF
images. An attacker could use this issue to cause pano13 to crash,
resulting in a denial of service. (CVE-2021-33293)
CVEs:

Title: USN-6146-1: Netatalk vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6146-1
Priorities: medium,high
Description:
It was discovered that Netatalk did not properly validate the length of
user-supplied data in the DSI structures. A remote attacker could possibly
use this issue to execute arbitrary code with the privileges of the user
invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.04 LTS. (CVE-2021-31439)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the ad_addcomment function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-0194)

It was discovered that Netatalk did not properly handle errors when parsing
AppleDouble entries. A remote attacker could possibly use this issue to
execute arbitrary code with root privileges. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-23121)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the setfilparams function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-23122)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the getdirparams function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-23123)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the get_finderinfo function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-23124)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the copyapplfile function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-23125)

It was discovered that Netatalk did not properly validate the length of
user-supplied data in the dsi_writeinit function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu
22.10. (CVE-2022-43634)

It was discovered that Netatalk did not properly manage memory under
certain circumstances. If a user were tricked into opening a specially
crafted .appl file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2022-45188)
CVEs:

Title: USN-6167-1: QEMU vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6167-1
Priorities: low,medium
Description:
It was discovered that QEMU did not properly manage the guest drivers when
shared buffers are not allocated. A malicious guest driver could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu
22.04 LTS and Ubuntu 22.10. (CVE-2022-1050)

It was discovered that QEMU did not properly check the size of the
structure pointed to by the guest physical address pqxl. A malicious guest
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.
(CVE-2022-4144)

It was discovered that QEMU did not properly manage memory in the ACPI
Error Record Serialization Table (ERST) device. A malicious guest attacker
could use this issue to cause QEMU to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-4172)

It was discovered that QEMU did not properly manage memory when DMA memory
writes happen repeatedly in the lsi53c895a device. A malicious guest
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service. (CVE-2023-0330)
CVEs:

Title: USN-6169-1: GNU SASL vulnerability
URL: https://ubuntu.com/security/notices/USN-6169-1
Priorities: low
Description:
It was discovered that GNU SASL's GSSAPI server could make an
out-of-bounds reads if given specially crafted GSS-API authentication
data. A remote attacker could possibly use this issue to cause a
denial of service or to expose sensitive information.
CVEs:

https://ubuntu.com/security/CVE-2022-2469

Title: USN-6145-1: Sysstat vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6145-1
Priorities: medium
Description:
It was discovered that Sysstat incorrectly handled certain arithmetic
multiplications. An attacker could use this issue to cause Sysstat to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue was only fixed for Ubuntu 16.04 LTS. (CVE-2022-39377)

It was discovered that Sysstat incorrectly handled certain arithmetic
multiplications in 64-bit systems, as a result of an incomplete fix for
CVE-2022-39377. An attacker could use this issue to cause Sysstat to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2023-33204)
CVEs:

Title: USN-6171-1: Linux kernel vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6171-1
Priorities: medium,low
Description:
William Zhao discovered that the Traffic Control (TC) subsystem in the
Linux kernel did not properly handle network packet retransmission in
certain situations. A local attacker could use this to cause a denial of
service (kernel deadlock). (CVE-2022-4269)

It was discovered that the TUN/TAP driver in the Linux kernel did not
properly initialize socket data. A local attacker could use this to cause a
denial of service (system crash). (CVE-2023-1076)

It was discovered that the Real-Time Scheduling Class implementation in the
Linux kernel contained a type confusion vulnerability in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-1077)

It was discovered that the ASUS HID driver in the Linux kernel did not
properly handle device removal, leading to a use-after-free vulnerability.
A local attacker with physical access could plug in a specially crafted USB
device to cause a denial of service (system crash). (CVE-2023-1079)

It was discovered that the Xircom PCMCIA network device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2023-1670)

It was discovered that a race condition existed in the Xen transport layer
implementation for the 9P file system protocol in the Linux kernel, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (guest crash) or expose sensitive information (guest
kernel memory). (CVE-2023-1859)

Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2
mitigations with prctl syscall were insufficient in some situations. A
local attacker could possibly use this to expose sensitive information.
(CVE-2023-1998)

It was discovered that the BigBen Interactive Kids' gamepad driver in the
Linux kernel did not properly handle device removal, leading to a use-
after-free vulnerability. A local attacker with physical access could plug
in a specially crafted USB device to cause a denial of service (system
crash). (CVE-2023-25012)

It was discovered that a use-after-free vulnerability existed in the HFS+
file system implementation in the Linux kernel. A local attacker could
possibly use this to cause a denial of service (system crash).
(CVE-2023-2985)
CVEs:

Title: LSN-0095-1: Kernel Live Patch Security Notice
URL: https://ubuntu.com/security/notices/LSN-0095-1
Priorities: high,medium
Description:
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges.(CVE-2023-0386)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform data buffer size validation in some
situations. A physically proximate attacker could use this to craft a
malicious USB device that when inserted, could cause a denial of service
(system crash) or possibly expose sensitive information.(CVE-2023-1380)

It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.(CVE-2023-1872)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock).(CVE-2023-2612)

Gwangun Jung discovered that the Quick Fair Queueing scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.(CVE-2023-31436)

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code.(CVE-2023-32233)
CVEs:

Title: USN-6144-1: LibreOffice vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6144-1
Priorities: medium
Description:
It was discovered that LibreOffice did not properly validate the number of
parameters passed to the formula interpreter, leading to an array index
underflow attack. If a user were tricked into opening a specially crafted
spreadsheet file, an attacker could possibly use this issue to execute
arbitrary code. (CVE-2023-0950)

Amel Bouziane-Leblond discovered that LibreOffice did not prompt the user
before loading the host document inside an IFrame. If a user were tricked
into opening a specially crafted input file, an attacker could possibly use
this issue to cause information disclosure or execute arbitrary code.
(CVE-2023-2255)
CVEs:

Title: USN-6179-1: Jettison vulnerability
URL: https://ubuntu.com/security/notices/USN-6179-1
Priorities: medium
Description:
It was discovered that Jettison incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.
CVEs:

https://ubuntu.com/security/CVE-2023-1436

Title: USN-6138-1: libssh vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6138-1
Priorities: medium
Description:
Philip Turnbull discovered that libssh incorrectly handled rekeying with
algorithm guessing. A remote attacker could use this issue to cause libssh
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2023-1667)

Kevin Backhouse discovered that libssh incorrectly handled verifying data
signatures. A remote attacker could possibly use this issue to bypass
authorization. (CVE-2023-2283)
CVEs:

Title: USN-6137-1: LibRaw vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6137-1
Priorities: medium,low
Description:
It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, a remote attacker could cause applications linked against LibRaw to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
CVEs:

Title: USN-6133-1: Linux kernel (Intel IoTG) vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6133-1
Priorities: high,medium,low,negligible
Description:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)

It was discovered that some AMD x86-64 processors with SMT enabled could
speculatively execute instructions using a return address from a sibling
thread. A local attacker could possibly use this to expose sensitive
information. (CVE-2022-27672)

Zheng Wang discovered that the Intel i915 graphics driver in the Linux
kernel did not properly handle certain error conditions, leading to a
double-free. A local attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did
not properly implement speculative execution barriers in usercopy functions
in certain situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a
type confusion vulnerability in some situations. A local attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel contained a type confusion vulnerability
in some situations. An attacker could use this to cause a denial of service
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel
did not properly initialize some data structures. A local attacker could
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that the Android Binder IPC subsystem in the Linux kernel
did not properly validate inputs in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-20938)

It was discovered that a use-after-free vulnerability existed in the iSCSI
TCP implementation in the Linux kernel. A local attacker could possibly use
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux
kernel contained a race condition in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared
receiver/transceiver driver in the Linux kernel, leading to a use-after-
free vulnerability. A privileged attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-1118)
CVEs:

Title: USN-6129-1: Avahi vulnerability
URL: https://ubuntu.com/security/notices/USN-6129-1
Priorities: medium
Description:
It was discovered that Avahi incorrectly handled certain DBus messages. A
local attacker could possibly use this issue to cause Avahi to crash,
resulting in a denial of service.
CVEs:

https://ubuntu.com/security/CVE-2023-1981

Title: USN-6154-1: Vim vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6154-1
Priorities: medium
Description:
It was discovered that Vim was using uninitialized memory when fuzzy
matching, which could lead to invalid memory access. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10 and Ubuntu
23.04. (CVE-2023-2426)

It was discovered that Vim was not properly performing bounds checks when
processing register contents, which could lead to a NULL pointer
dereference. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2023-2609)

It was discovered that Vim was not properly limiting the length of
substitution expression strings, which could lead to excessive memory
consumption. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-2610)
CVEs:

Title: USN-6139-1: Python vulnerability
URL: https://ubuntu.com/security/notices/USN-6139-1
Priorities: medium
Description:
Yebo Cao discovered that Python incorrectly handled certain URLs.
An attacker could use this issue to bypass blockinglisting methods.
This issue was first addressed in USN-5960-1, but was incomplete.
Here we address an additional fix to that issue. (CVE-2023-24329)
CVEs:

Title: USN-6161-1: .NET vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6161-1
Priorities: medium
Description:
It was discovered that .NET did not properly enforce certain
restrictions when deserializing a DataSet or DataTable from
XML. An attacker could possibly use this issue to elevate their
privileges. (CVE-2023-24936)

Kevin Jones discovered that .NET did not properly handle the
AIA fetching process for X.509 client certificates. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2023-29331)

Kalle Niemitalo discovered that the .NET package manager,
NuGet, was susceptible to a potential race condition. An
attacker could possibly use this issue to perform remote
code execution. (CVE-2023-29337)

Tom Deseyn discovered that .NET did not properly process certain
arguments when extracting the contents of a tar file. An attacker
could possibly use this issue to elevate their privileges. This
issue only affected the dotnet7 package. (CVE-2023-32032)

It was discovered that .NET did not properly handle memory in
certain circumstances. An attacker could possibly use this issue
to cause a denial of service or perform remote code execution.
(CVE-2023-33128)
CVEs:

Title: USN-6148-1: SNI Proxy vulnerability
URL: https://ubuntu.com/security/notices/USN-6148-1
Priorities: high
Description:
It was discovered that SNI Proxy did not properly handle wildcard backend
hosts. An attacker could possibly use this issue to cause a buffer overflow,
resulting in a denial of service, or arbitrary code execution.
CVEs:

https://ubuntu.com/security/CVE-2023-25076

Title: USN-6166-1: libcap2 vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6166-1
Priorities: low,medium
Description:
David Gstir discovered that libcap2 incorrectly handled certain return
codes. An attacker could possibly use this issue to cause libcap2 to
consume memory, leading to a denial of service. (CVE-2023-2602)

Richard Weinberger discovered that libcap2 incorrectly handled certain long
input strings. An attacker could use this issue to cause libcap2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2023-2603)
CVEs:

Title: USN-6183-1: Bind vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6183-1
Priorities: medium
Description:
Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered
that Bind incorrectly handled the cache size limit. A remote attacker could
possibly use this issue to consume memory, leading to a denial of service.
(CVE-2023-2828)

It was discovered that Bind incorrectly handled the recursive-clients
quota. A remote attacker could possibly use this issue to cause Bind to
crash, resulting in a denial of service. This issue only affected Ubuntu
22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-2911)
CVEs:

Title: USN-6164-1: c-ares vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6164-1
Priorities: medium
Description:
Hannes Moesl discovered that c-ares incorrectly handled certain ipv6
addresses. An attacker could use this issue to cause c-ares to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2023-31130)

Xiang Li discovered that c-ares incorrectly handled certain UDP packets. A
remote attacker could possibly use this issue to cause c-res to crash,
resulting in a denial of service. (CVE-2023-32067)
CVEs:

Title: USN-6168-1: libx11 vulnerability
URL: https://ubuntu.com/security/notices/USN-6168-1
Priorities: medium
Description:
Gregory James Duck discovered that libx11 incorrectly handled certain
Request, Event, or Error IDs. If a user were tricked into connecting to a
malicious X Server, a remote attacker could possibly use this issue to
cause libx11 to crash, resulting in a denial of service.
CVEs:

https://ubuntu.com/security/CVE-2023-3138

Title: USN-6173-1: Linux kernel (OEM) vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6173-1
Priorities: high,medium
Description:
Gwangun Jung discovered that the Quick Fair Queueing scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)

Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did
not properly perform permissions checks when handling HCI sockets. A
physically proximate attacker could use this to cause a denial of service
(bluetooth communication). (CVE-2023-2002)

It was discovered that the IPv6 RPL protocol implementation in the Linux
kernel did not properly handle user-supplied data. A remote attacker could
use this to cause a denial of service (system crash). (CVE-2023-2156)

Zheng Zhang discovered that the device-mapper implementation in the Linux
kernel did not properly handle locking during table_clear() operations. A
local attacker could use this to cause a denial of service (kernel
deadlock). (CVE-2023-2269)

Quentin Minster discovered that a race condition existed in the KSMBD
implementation in the Linux kernel when handling sessions operations. A
remote attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-32250)

Quentin Minster discovered that a race condition existed in the KSMBD
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A remote attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-32254)
CVEs:

Title: USN-6112-2: Perl vulnerability
URL: https://ubuntu.com/security/notices/USN-6112-2
Priorities: medium
Description:
USN-6112-1 fixed vulnerabilities in Perl. This update provides the
corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
22.10, and Ubuntu 23.04.

Original advisory details:

It was discovered that Perl was not properly verifying TLS certificates
when using CPAN together with HTTP::Tiny to download modules over HTTPS.
If a remote attacker were able to intercept communications, this flaw
could potentially be used to install altered modules.
CVEs:

https://ubuntu.com/security/CVE-2023-31484

Title: USN-6136-1: FRR vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6136-1
Priorities: medium
Description:
It was discovered that FRR incorrectly handled parsing certain BGP
messages. A remote attacker could possibly use this issue to cause FRR to
crash, resulting in a denial of service. This issue only affected Ubuntu
23.04. (CVE-2023-31489)

It was discovered that FRR incorrectly handled parsing certain BGP
messages. A remote attacker could possibly use this issue to cause FRR to
crash, resulting in a denial of service. (CVE-2023-31490)
CVEs:

Title: USN-6150-1: Linux kernel vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6150-1
Priorities: high,medium
Description:
Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers
in certain situations. An attacker in a guest VM could use this to cause a
denial of service (guest crash). (CVE-2023-30456)

Title: USN-6135-1: Linux kernel (Azure CVM) vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6135-1
Priorities: high,medium
Description:
Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Title: USN-6127-1: Linux kernel vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6127-1
Priorities: high,medium
Description:
Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Title: USN-6128-1: CUPS vulnerability
URL: https://ubuntu.com/security/notices/USN-6128-1
Priorities: medium
Description:
It was discovered that CUPS incorrectly handled logging. A remote attacker
could use this issue to cause CUPS to crash, resulting in a denial of
service, or possibly execute arbitrary code.
CVEs:

https://ubuntu.com/security/CVE-2023-32324

Title: USN-6165-1: GLib vulnerabilities
URL: https://ubuntu.com/security/notices/USN-6165-1
Priorities: medium,low
Description:
It was discovered that GLib incorrectly handled non-normal GVariants. An
attacker could use this issue to cause GLib to crash, resulting in a denial
of service, or perform other unknown attacks.
CVEs:

Title: USN-6147-1: SpiderMonkey vulnerability
URL: https://ubuntu.com/security/notices/USN-6147-1
Priorities: medium
Description:
Several security issues were discovered in the SpiderMonkey JavaScript
library. If a user were tricked into opening malicious JavaScript
applications or processing malformed data, a remote attacker could exploit
a variety of issues related to JavaScript security, including denial of
service attacks, and arbitrary code execution.
CVEs:

https://ubuntu.com/security/CVE-2023-34416

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ubuntu jammy v1.147

Metadata:

USNs: