Overview

John and Georgia are at the Linux Security Summit presenting on some long
awaited developments in AppArmor and we give you all the details in a sneak peek
preview as well as some of the other talks to look out for, plus we cover
security updates for NSS, Squid, Apache, libvirt and more and we put out a call
for testing of a pending AppArmor security fix too.

This week in Ubuntu Security Updates

86 unique CVEs addressed

[USN-6727-1, USN-6727-2] NSS vulnerabilities + regression (01:02 )

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-6135
  
  
  • CVE-2023-5388
  
  
  • CVE-2023-4421
  
  
  
  


• All various different timing side channels - two were effectively the same
  since the original fix was incomplete - mishandling of padding in PKCS#1 (RSA)
  certificate checks - possible to infer the length of the encrypted message and
  other properties to eventually infer secret key by sending a large number of
  attacker-chosen ciphertexts, the other when using various NIST
  curves (elliptic curve cryptography)


• Original fix caused some issues with loading NSS security modules so published
  a second update to fix that on focal+jammy

[USN-6728-1, USN-6728-2] Squid vulnerabilities + regression (02:05 )

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-25617
  
  
  • CVE-2024-25111
  
  
  • CVE-2024-23638
  
  
  • CVE-2023-5824
  
  
  • CVE-2023-49288
  
  
  
  


• All found by the same researcher (Joshua Rogers) who performed a security
  audit of Squid back in 2021 -
  https://megamansec.github.io/Squid-Security-Audit/ - first mentioned by us in
  [USN-6500-1] Squid vulnerabilities in Episode
  214 back in December 2023


• Then we mentioned how squid was under-resourced and so hadn’t be able to fix
  all the identified issues - over time upstream has published fixes for more
  issues and we are now incorporating those into squid in Ubuntu


• All of these were various DoS issues where could either cause squid to crash
  or stop responding


• One of these fixes was problematic and caused squid to crash itself so was reverted

[USN-6729-1] Apache HTTP Server vulnerabilities (03:01 )

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-27316
  
  
  • CVE-2024-24795
  
  
  • CVE-2023-38709
  
  
  
  


• 2 different issues that could result in HTTP request splitting attacks -
  similar to HTTP request smuggling which is a more specific version of this
  attack, relies on different parsing/interpretation of HTTP request messages by
  an intermediate (load balancer/proxy/WAF etc.) to split a single HTTP request
  into multiple HTTP requests at the backend - allowing to bypass restrictions
  along the way - usually involves the use of injected CR/LF/TAB/SPC etc in
  headers


• Plus memory-based DoS in handling of HTTP/2 - client could just keep sending
  more headers, buffered by the server so it can generate an informative
  response, until it exhausts memory
  
  
  
  • limit to just 100 headers before bailing with such an error
  
  
  
  

[USN-6730-1] Apache Maven Shared Utils vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2022-29599
  
  
  
  

[USN-6731-1] YARD vulnerabilities

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-27285
  
  
  • CVE-2019-1020001
  
  
  • CVE-2017-17042
  
  
  
  

[USN-6732-1] WebKitGTK vulnerabilities

• 8 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-23284
  
  
  • CVE-2024-23280
  
  
  • CVE-2024-23263
  
  
  • CVE-2024-23254
  
  
  • CVE-2024-23252
  
  
  • CVE-2023-42956
  
  
  • CVE-2023-42950
  
  
  • CVE-2023-42843
  
  
  
  

[USN-6733-1] GnuTLS vulnerabilities (04:57 )

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-28835
  
  
  • CVE-2024-28834
  
  
  
  


• Timing side-channel in ECDSA


• Crash when verifying crafted PEM bundles -> DoS

[USN-6734-1] libvirt vulnerabilities (05:13 )

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-2496
  
  
  • CVE-2024-2494
  
  
  • CVE-2024-1441
  
  
  
  


• off-by-one in handling of udev interface names - unpriv client could then
  abuse this to send crafted udev data to the libvirt daemon, triggering a crash -> DoS


• NULL ptr deref in same code - race condition, need to detach a host interface
  whilst calling into the function


• Crash in RPC handling - pass a negative length value, would then try and
  allocate a negative number of array indices - uses underlying g_new0() from
  glib which expects an unsigned value -> tries to allocate an extremely large
  amount of memory -> crash

[USN-6735-1] Node.js vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-30590
  
  
  • CVE-2023-30589
  
  
  • CVE-2023-30588
  
  
  
  

[USN-6736-1] klibc vulnerabilities (06:33 )

• 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2022-37434
  
  
  • CVE-2018-25032
  
  
  • <a h