{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.8.0-49", "linux-headers-6.8.0-49-generic", "linux-image-6.8.0-49-generic", "linux-modules-6.8.0-49-generic", "linux-tools-6.8.0-49", "linux-tools-6.8.0-49-generic" ], "removed": [ "linux-headers-6.8.0-48", "linux-headers-6.8.0-48-generic", "linux-image-6.8.0-48-generic", "linux-modules-6.8.0-48-generic", "linux-tools-6.8.0-48", "linux-tools-6.8.0-48-generic" ], "diff": [ "curl", "gir1.2-glib-2.0", "krb5-locales", "libacl1", "libaudit-common", "libaudit1", "libcurl3t64-gnutls", "libcurl4t64", "libglib2.0-0t64", "libglib2.0-bin", "libglib2.0-data", "libgssapi-krb5-2", "libk5crypto3", "libkrb5-3", "libkrb5support0", "libldap-common", "libldap2", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-libc-dev", "linux-tools-common", "linux-virtual", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.4", "version": "8.5.0-2ubuntu10.4" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:48:09 -0330" } ], "notes": null }, { "name": "gir1.2-glib-2.0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.1", "version": "2.80.0-6ubuntu3.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.2", "version": "2.80.0-6ubuntu3.2" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:42:10 -0300" } ], "notes": null }, { "name": "krb5-locales", "from_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.1", "version": "1.20.1-6ubuntu2.1" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.2", "version": "1.20.1-6ubuntu2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "krb5", "version": "1.20.1-6ubuntu2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libacl1", "from_version": { "source_package_name": "acl", "source_package_version": "2.3.2-1build1", "version": "2.3.2-1build1" }, "to_version": { "source_package_name": "acl", "source_package_version": "2.3.2-1build1.1", "version": "2.3.2-1build1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "acl", "version": "2.3.2-1build1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:51 +0200" } ], "notes": null }, { "name": "libaudit-common", "from_version": { "source_package_name": "audit", "source_package_version": "1:3.1.2-2.1build1", "version": "1:3.1.2-2.1build1" }, "to_version": { "source_package_name": "audit", "source_package_version": "1:3.1.2-2.1build1.1", "version": "1:3.1.2-2.1build1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "audit", "version": "1:3.1.2-2.1build1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libaudit1", "from_version": { "source_package_name": "audit", "source_package_version": "1:3.1.2-2.1build1", "version": "1:3.1.2-2.1build1" }, "to_version": { "source_package_name": "audit", "source_package_version": "1:3.1.2-2.1build1.1", "version": "1:3.1.2-2.1build1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "audit", "version": "1:3.1.2-2.1build1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libcurl3t64-gnutls", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.4", "version": "8.5.0-2ubuntu10.4" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:48:09 -0330" } ], "notes": null }, { "name": "libcurl4t64", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.4", "version": "8.5.0-2ubuntu10.4" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:48:09 -0330" } ], "notes": null }, { "name": "libglib2.0-0t64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.1", "version": "2.80.0-6ubuntu3.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.2", "version": "2.80.0-6ubuntu3.2" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:42:10 -0300" } ], "notes": null }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.1", "version": "2.80.0-6ubuntu3.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.2", "version": "2.80.0-6ubuntu3.2" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:42:10 -0300" } ], "notes": null }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.1", "version": "2.80.0-6ubuntu3.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.2", "version": "2.80.0-6ubuntu3.2" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:42:10 -0300" } ], "notes": null }, { "name": "libgssapi-krb5-2", "from_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.1", "version": "1.20.1-6ubuntu2.1" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.2", "version": "1.20.1-6ubuntu2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "krb5", "version": "1.20.1-6ubuntu2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libk5crypto3", "from_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.1", "version": "1.20.1-6ubuntu2.1" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.2", "version": "1.20.1-6ubuntu2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "krb5", "version": "1.20.1-6ubuntu2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libkrb5-3", "from_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.1", "version": "1.20.1-6ubuntu2.1" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.2", "version": "1.20.1-6ubuntu2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "krb5", "version": "1.20.1-6ubuntu2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libkrb5support0", "from_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.1", "version": "1.20.1-6ubuntu2.1" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.20.1-6ubuntu2.2", "version": "1.20.1-6ubuntu2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "krb5", "version": "1.20.1-6ubuntu2.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:50 +0200" } ], "notes": null }, { "name": "libldap-common", "from_version": { "source_package_name": "openldap", "source_package_version": "2.6.7+dfsg-1~exp1ubuntu8", "version": "2.6.7+dfsg-1~exp1ubuntu8" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.6.7+dfsg-1~exp1ubuntu8.1", "version": "2.6.7+dfsg-1~exp1ubuntu8.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "openldap", "version": "2.6.7+dfsg-1~exp1ubuntu8.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:51 +0200" } ], "notes": null }, { "name": "libldap2", "from_version": { "source_package_name": "openldap", "source_package_version": "2.6.7+dfsg-1~exp1ubuntu8", "version": "2.6.7+dfsg-1~exp1ubuntu8" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.6.7+dfsg-1~exp1ubuntu8.1", "version": "2.6.7+dfsg-1~exp1ubuntu8.1" }, "cves": [], "launchpad_bugs_fixed": [ 2083480 ], "changes": [ { "cves": [], "log": [ "", " * SRU: LP: #2083480: No-change rebuild to disable frame pointers on", " ppc64el and s390x.", "" ], "package": "openldap", "version": "2.6.7+dfsg-1~exp1ubuntu8.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083480 ], "author": "Matthias Klose ", "date": "Wed, 02 Oct 2024 14:40:51 +0200" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-49.49", "" ], "package": "linux-meta", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 12:40:57 +0100" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-49.49", "" ], "package": "linux-meta", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 12:40:57 +0100" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-49.49", "" ], "package": "linux-meta", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 12:40:57 +0100" } ], "notes": null }, { "name": "linux-libc-dev", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": null }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-49.49", "" ], "package": "linux-meta", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 12:40:57 +0100" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.3", "version": "2:9.1.0016-1ubuntu7.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "cves": [], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 13:05:40 -0500" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.3", "version": "2:9.1.0016-1ubuntu7.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "cves": [], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 13:05:40 -0500" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.3", "version": "2:9.1.0016-1ubuntu7.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "cves": [], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 13:05:40 -0500" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.3", "version": "2:9.1.0016-1ubuntu7.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "cves": [], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 13:05:40 -0500" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.3", "version": "2:9.1.0016-1ubuntu7.3" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "cves": [], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 13:05:40 -0500" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-49", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": "linux-headers-6.8.0-49 version '6.8.0-49.49' (source package linux version '6.8.0-49.49') was added. linux-headers-6.8.0-49 version '6.8.0-49.49' has the same source package name, linux, as removed package linux-headers-6.8.0-48. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-6.8.0-49-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": "linux-headers-6.8.0-49-generic version '6.8.0-49.49' (source package linux version '6.8.0-49.49') was added. linux-headers-6.8.0-49-generic version '6.8.0-49.49' has the same source package name, linux, as removed package linux-headers-6.8.0-48. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.8.0-49-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-49.49", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 12:41:07 +0100" } ], "notes": "linux-image-6.8.0-49-generic version '6.8.0-49.49' (source package linux-signed version '6.8.0-49.49') was added. linux-image-6.8.0-49-generic version '6.8.0-49.49' has the same source package name, linux-signed, as removed package linux-image-6.8.0-48-generic. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.8.0-49-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": "linux-modules-6.8.0-49-generic version '6.8.0-49.49' (source package linux version '6.8.0-49.49') was added. linux-modules-6.8.0-49-generic version '6.8.0-49.49' has the same source package name, linux, as removed package linux-headers-6.8.0-48. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-tools-6.8.0-49", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": "linux-tools-6.8.0-49 version '6.8.0-49.49' (source package linux version '6.8.0-49.49') was added. linux-tools-6.8.0-49 version '6.8.0-49.49' has the same source package name, linux, as removed package linux-headers-6.8.0-48. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-tools-6.8.0-49-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-49.49", "version": "6.8.0-49.49" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085942, 2085495 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", "", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", "", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", "", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux", "version": "6.8.0-49.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085942, 2085495 ], "author": "Manuel Diewald ", "date": "Fri, 01 Nov 2024 11:56:32 +0100" } ], "notes": "linux-tools-6.8.0-49-generic version '6.8.0-49.49' (source package linux version '6.8.0-49.49') was added. linux-tools-6.8.0-49-generic version '6.8.0-49.49' has the same source package name, linux, as removed package linux-headers-6.8.0-48. As such we can use the source package version of the removed package, '6.8.0-48.48', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-48", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-6.8.0-48-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.8.0-48-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.8.0-48-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-tools-6.8.0-48", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-tools-6.8.0-48-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-48.48", "version": "6.8.0-48.48" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20241106 to 20241119", "from_series": "noble", "to_series": "noble", "from_serial": "20241106", "to_serial": "20241119", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }