NVD Description

Note: Versions mentioned in the description apply only to the upstream apparmor package and not the apparmor package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In all versions of AppArmor mount rules are accidentally widened when compiled.

Remediation

There is no fixed version for Ubuntu:16.04 apparmor.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585
• https://security-tracker.debian.org/tracker/CVE-2016-1585
• https://bugs.launchpad.net/apparmor/+bug/1597017
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-32221
• https://hackerone.com/reports/1704017
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20230110-0006/
• https://support.apple.com/kb/HT213604
• https://support.apple.com/kb/HT213605
• http://seclists.org/fulldisclosure/2023/Jan/20
• http://seclists.org/fulldisclosure/2023/Jan/19
• https://www.debian.org/security/2023/dsa-5330
• https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
• https://security.netapp.com/advisory/ntap-20230208-0002/
• http://www.openwall.com/lists/oss-security/2023/05/17/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream dpkg package and not the dpkg package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

Remediation

Upgrade Ubuntu:16.04 dpkg to version 1.18.4ubuntu1.7+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-1664
• https://lists.debian.org/debian-security-announce/2022/msg00115.html
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
• https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5
• https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495
• https://security.netapp.com/advisory/ntap-20221007-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22824
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22823
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22822
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-23852
• https://github.com/libexpat/libexpat/pull/550
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://security.netapp.com/advisory/ntap-20220217-0001/
• https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-25315
• https://github.com/libexpat/libexpat/pull/559
• http://www.openwall.com/lists/oss-security/2022/02/19/1
• https://www.debian.org/security/2022/dsa-5085
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• https://security.netapp.com/advisory/ntap-20220303-0008/
• https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is distributed revision control system. git log can display commits in an arbitrary format using its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute. When processing the padding operators, there is a integer overflow in pretty.c::format_and_pad_commit() where a size_t is stored improperly as an int, and then added as an offset to a memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable git archive in untrusted repositories. If you expose git archive via git daemon, disable it by running git config --global daemon.uploadArch false.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-41903
• https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq
• https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
• https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst
• https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-23521
• https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
• https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-44640
• https://github.com/heimdal/heimdal/security/advisories/GHSA-88pm-hfmq-7vv4
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream lz4 package and not the lz4 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Remediation

Upgrade Ubuntu:16.04 lz4 to version 0.0~r131-2ubuntu2+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3520
• https://bugzilla.redhat.com/show_bug.cgi?id=1954559
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://security.netapp.com/advisory/ntap-20211104-0005/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://access.redhat.com/errata/RHBA-2021:2854
• https://access.redhat.com/errata/RHSA-2021:2575
• https://access.redhat.com/errata/RHSA-2022:1345
• https://access.redhat.com/errata/RHSA-2022:5606
• https://access.redhat.com/errata/RHSA-2022:6407
• https://access.redhat.com/security/cve/CVE-2021-3520

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

Remediation

Upgrade Ubuntu:16.04 openldap to version 2.4.42+dfsg-2ubuntu3.13+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-29155
• https://bugs.openldap.org/show_bug.cgi?id=9815
• https://www.debian.org/security/2022/dsa-5140
• https://lists.debian.org/debian-lts-announce/2022/05/msg00032.html
• https://security.netapp.com/advisory/ntap-20220609-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Remediation

Upgrade Ubuntu:16.04 openssh to version 1:7.2p2-4ubuntu2.10+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-38408
• https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
• https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
• https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
• https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
• https://news.ycombinator.com/item?id=36790196
• https://www.openssh.com/security.html
• https://www.openssh.com/txt/release-9.3p2
• https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
• https://security.gentoo.org/glsa/202307-01
• http://www.openwall.com/lists/oss-security/2023/07/20/1
• http://www.openwall.com/lists/oss-security/2023/07/20/2
• http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
• https://security.netapp.com/advisory/ntap-20230803-0010/
• https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html
• http://www.openwall.com/lists/oss-security/2023/09/22/9
• http://www.openwall.com/lists/oss-security/2023/09/22/11
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
• https://support.apple.com/kb/HT213940
• https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

Remediation

Upgrade Ubuntu:16.04 openssl to version 1.0.2g-1ubuntu4.20+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-1292
• https://www.openssl.org/news/secadv/20220503.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=548d3f280a6e737673f5b61fce24bb100108dfeb
• https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
• https://www.debian.org/security/2022/dsa-5139
• https://security.netapp.com/advisory/ntap-20220602-0009/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://security.gentoo.org/glsa/202210-02
• https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Remediation

Upgrade Ubuntu:16.04 openssl to version 1.0.2g-1ubuntu4.20+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-2068
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9639817dac8bbbaa64d09efad7464ccc405527c7
• https://www.openssl.org/news/secadv/20220621.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c9c35870601b4a44d86ddbf512b38df38285cfa
• https://www.debian.org/security/2022/dsa-5169
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/
• https://security.netapp.com/advisory/ntap-20220707-0008/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/
• https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48565
• https://bugs.python.org/issue42051
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20231006-0007/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFHYAGWBFBNUGWU6XWKBHTCV5NH77MB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAYWJD576JUKLHCWKDLMJSUGTRDKPF3M/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZRZRJHWLZ7MOJNPQBWGJVXMVYDC5BRA/

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Remediation

Upgrade Ubuntu:16.04 zlib to version 1:1.2.8.dfsg-2ubuntu4.3+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-37434
• https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
• https://github.com/ivd38/zlib_overflow
• https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
• https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
• http://www.openwall.com/lists/oss-security/2022/08/05/2
• https://github.com/curl/curl/issues/9271
• http://www.openwall.com/lists/oss-security/2022/08/09/1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
• https://www.debian.org/security/2022/dsa-5218
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
• https://security.netapp.com/advisory/ntap-20220901-0005/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
• https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
• https://support.apple.com/kb/HT213490
• https://support.apple.com/kb/HT213493
• https://support.apple.com/kb/HT213494
• https://support.apple.com/kb/HT213491
• https://support.apple.com/kb/HT213488
• https://support.apple.com/kb/HT213489
• http://seclists.org/fulldisclosure/2022/Oct/41
• http://seclists.org/fulldisclosure/2022/Oct/37
• http://seclists.org/fulldisclosure/2022/Oct/38
• http://seclists.org/fulldisclosure/2022/Oct/42
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
• https://security.netapp.com/advisory/ntap-20230427-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream mercurial package and not the mercurial package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

Remediation

There is no fixed version for Ubuntu:16.04 mercurial.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17983
• https://security-tracker.debian.org/tracker/CVE-2018-17983
• https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901
• https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.7.2_.282018-10-01.29

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22827
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22826
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-22825
• https://github.com/libexpat/libexpat/pull/539
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-39260
• https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://support.apple.com/kb/HT213496
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• http://seclists.org/fulldisclosure/2022/Nov/1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream gzip package and not the gzip package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Ubuntu:16.04 gzip to version 1.6-4ubuntu1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-42898
• https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
• https://bugzilla.samba.org/show_bug.cgi?id=15203
• https://web.mit.edu/kerberos/advisories/
• https://www.samba.org/samba/security/CVE-2022-42898.html
• https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
• https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt
• https://web.mit.edu/kerberos/krb5-1.19/
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.netapp.com/advisory/ntap-20230223-0001/
• https://security.gentoo.org/glsa/202309-06
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Remediation

Upgrade Ubuntu:16.04 krb5 to version 1.13.2+dfsg-5ubuntu2.2+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-42898
• https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
• https://bugzilla.samba.org/show_bug.cgi?id=15203
• https://web.mit.edu/kerberos/advisories/
• https://www.samba.org/samba/security/CVE-2022-42898.html
• https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
• https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt
• https://web.mit.edu/kerberos/krb5-1.19/
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.netapp.com/advisory/ntap-20230223-0001/
• https://security.gentoo.org/glsa/202309-06
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Ubuntu:16.04 xz-utils to version 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-40674
• https://github.com/libexpat/libexpat/pull/629
• https://github.com/libexpat/libexpat/pull/640
• https://www.debian.org/security/2022/dsa-5236
• https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
• https://security.gentoo.org/glsa/202209-24
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
• https://security.netapp.com/advisory/ntap-20221028-0008/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
• https://security.gentoo.org/glsa/202211-06
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

Remediation

Upgrade Ubuntu:16.04 libzstd to version 1.3.1+dfsg-1~ubuntu0.16.04.1+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-11922
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
• https://www.facebook.com/security/advisories/cve-2019-11922
• https://security-tracker.debian.org/tracker/CVE-2019-11922
• https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
• https://www.oracle.com/security-alerts/cpuoct2020.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html
• https://usn.ubuntu.com/4108-1/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Ubuntu:16.04 perl to version 5.22.1-9ubuntu0.9+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-31484
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://metacpan.org/dist/CPAN/changes
• https://www.openwall.com/lists/oss-security/2023/04/18/14
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. A malicious application may cause a denial of service or potentially disclose memory contents.

Remediation

There is no fixed version for Ubuntu:16.04 sqlite3.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-9794
• https://security-tracker.debian.org/tracker/CVE-2020-9794
• https://support.apple.com/HT211168
• https://support.apple.com/HT211170
• https://support.apple.com/HT211171
• https://support.apple.com/HT211175
• https://support.apple.com/HT211178
• https://support.apple.com/HT211179
• https://support.apple.com/HT211181
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream e2fsprogs package and not the e2fsprogs package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Remediation

Upgrade Ubuntu:16.04 e2fsprogs to version 1.42.13-1ubuntu1.2+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-1304
• https://bugzilla.redhat.com/show_bug.cgi?id=2069726
• https://access.redhat.com/errata/RHSA-2022:7720
• https://access.redhat.com/errata/RHSA-2022:8361
• https://access.redhat.com/security/cve/CVE-2022-1304

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-46143
• https://github.com/libexpat/libexpat/issues/532
• https://github.com/libexpat/libexpat/pull/538
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://security.netapp.com/advisory/ntap-20220121-0006/
• https://www.tenable.com/security/tns-2022-05
• https://www.debian.org/security/2022/dsa-5073
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Remediation

There is no fixed version for Ubuntu:16.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-29187
• https://github.blog/2022-04-12-git-security-vulnerability-announced
• https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u
• https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v
• http://www.openwall.com/lists/oss-security/2022/07/14/1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://support.apple.com/kb/HT213496
• http://seclists.org/fulldisclosure/2022/Nov/1
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://lore.kernel.org/git/xmqqv8s2fefi.fsf%40gitster.g/T/#u
• https://security.gentoo.org/glsa/202312-15
• https://security.gentoo.org/glsa/202401-17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Ubuntu:16.04 glibc to version 2.23-0ubuntu11.3+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3999
• https://www.openwall.com/lists/oss-security/2022/01/24/4
• https://access.redhat.com/security/cve/CVE-2021-3999
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
• https://sourceware.org/bugzilla/show_bug.cgi?id=28769
• https://security-tracker.debian.org/tracker/CVE-2021-3999
• https://bugzilla.redhat.com/show_bug.cgi?id=2024637
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://security.netapp.com/advisory/ntap-20221104-0001/
• https://access.redhat.com/errata/RHSA-2022:0896
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.

Remediation

Upgrade Ubuntu:16.04 libcap2 to version 1:2.24-12ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2603
• https://bugzilla.redhat.com/show_bug.cgi?id=2209113
• https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPEGCFMCN5KGCFX5Y2VTKR732TTD4ADW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ57ICDLMVYEREXQGZWL4GWI7FRJCRQT/

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Ubuntu:16.04 ncurses to version 6.0+20160213-1ubuntu1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29491
• http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• https://www.openwall.com/lists/oss-security/2023/04/12/5
• https://www.openwall.com/lists/oss-security/2023/04/13/4
• http://www.openwall.com/lists/oss-security/2023/04/19/10
• http://www.openwall.com/lists/oss-security/2023/04/19/11
• https://security.netapp.com/advisory/ntap-20230517-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845
• http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

CPAN 2.28 allows Signature Verification Bypass.

Remediation

Upgrade Ubuntu:16.04 perl to version 5.22.1-9ubuntu0.9+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-16156
• https://metacpan.org/pod/distribution/CPAN/scripts/cpan
• https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
• http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/

NVD Description

Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Remediation

Upgrade Ubuntu:16.04 ca-certificates to version 2021101616.04.1esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-23491
• https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
• https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-22946
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
• https://hackerone.com/reports/1334111
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20211029-0003/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://security.netapp.com/advisory/ntap-20220121-0008/
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://support.apple.com/kb/HT213183
• http://seclists.org/fulldisclosure/2022/Mar/29
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.debian.org/security/2022/dsa-5197
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.gentoo.org/glsa/202212-01
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-23990
• https://github.com/libexpat/libexpat/pull/551
• https://www.tenable.com/security/tns-2022-05
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/
• https://www.debian.org/security/2022/dsa-5073
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-43680
• https://github.com/libexpat/libexpat/pull/650
• https://github.com/libexpat/libexpat/pull/616
• https://github.com/libexpat/libexpat/issues/649
• https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html
• https://www.debian.org/security/2022/dsa-5266
• https://security.gentoo.org/glsa/202210-38
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/
• https://security.netapp.com/advisory/ntap-20221118-0007/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/
• http://www.openwall.com/lists/oss-security/2023/12/28/5
• http://www.openwall.com/lists/oss-security/2024/01/03/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-40330
• https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
• https://github.com/git/git/compare/v2.30.0...v2.30.1
• https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-23946
• https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
• https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-25652
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-45142
• https://www.openwall.com/lists/oss-security/2023/02/08/1
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16860
• https://seclists.org/bugtraq/2019/Aug/21
• https://seclists.org/bugtraq/2019/Aug/22
• https://seclists.org/bugtraq/2019/Aug/23
• https://seclists.org/bugtraq/2019/Aug/25
• https://support.apple.com/HT210346
• https://support.apple.com/HT210348
• https://support.apple.com/HT210351
• https://support.apple.com/HT210353
• https://www.synology.com/security/advisory/Synology_SA_19_23
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
• https://security-tracker.debian.org/tracker/CVE-2018-16860
• https://security.gentoo.org/glsa/202003-52
• https://www.samba.org/samba/security/CVE-2018-16860.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16860
• http://seclists.org/fulldisclosure/2019/Aug/11
• http://seclists.org/fulldisclosure/2019/Aug/13
• http://seclists.org/fulldisclosure/2019/Aug/14
• http://seclists.org/fulldisclosure/2019/Aug/15

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3116
• https://www.kb.cert.org/vuls/id/730793
• https://security.netapp.com/advisory/ntap-20230505-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-44758
• https://github.com/heimdal/heimdal/security/advisories/GHSA-69h9-669w-88xv
• https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-41916
• https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx
• https://www.debian.org/security/2022/dsa-5287
• https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Ubuntu:16.04 openssl to version 1.0.2g-1ubuntu4.20+esm6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-0215
• https://www.openssl.org/news/secadv/20230207.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344
• https://security.netapp.com/advisory/ntap-20230427-0007/
• https://security.netapp.com/advisory/ntap-20230427-0009/
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-45061
• https://github.com/python/cpython/issues/98433
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/
• https://security.netapp.com/advisory/ntap-20221209-0007/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/
• https://security.gentoo.org/glsa/202305-02
• https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNSALFGMPYTINIF57HAAK46U72WQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FS6VHY4DCS74HBTEINUDOECQ2X6ZCH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WQPHKGNXUJC3TC3BDW5RKGROWRJVSFR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B3YI6JYARWU6GULWOHNUROSACT54XFFS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4MYQ3IV6NWA4CKSXEHW45CH2YNDHEPH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BWJREJHWVRBYDP43YB5WRL3QC7UBA7BR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTPVDZDATRQFE6KAT6B4BQIQ4GRHIIIJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCDJXNBHWXNYUTOEV4H2HCFSRKV3SYL3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JTYVESWVBPD57ZJC35G5722Q6TS37WSB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNE4GMD45RGC2HWUAAIGTDHT5VJ2E4O4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKWAMPURWUV3DCCT4J7VHRF4NT2CFVBR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O67LRHDTJWH544KXB6KY4HMHQLYDXFPK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORVCQGJCCAVLN4DJDTWGREFCUWXKQRML/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PLQ2BNZVBBAQPV3SPRU24ZD37UYJJS7W/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCKD4AFBHXIMHS64ZER2U7QRT33HNE7L/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH57BNT4VQERGEJ5SXNXSVMDYP66YD4H/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTN2OOLKYTG34DODUEJGT5MLC2PFGPBA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T3D5TX4TDJPXHXD2QICKTY3OCQC3JARP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHVW73QZJMHA4MK7JBT7CXX7XSNYQEGF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMDX6IFKLOA3NXUQEV524L5LHTPI2JI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3EJ6J7PXVQOULBQZQGBXCXY6LFF6LZD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXZJL3CNAFS5PAIR7K4RL62S3Y7THR7O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPNWZKXPKTNHS5FVMN7UQZ2UPCSEFJUK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB5YCMIRVX35RUB6XPOWKENCVCJEVDRK/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-0391
• https://bugs.python.org/issue43882
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/
• https://security.netapp.com/advisory/ntap-20220225-0009/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://security.gentoo.org/glsa/202305-02
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-24329
• https://github.com/python/cpython/pull/99421
• https://pointernull.com/security/python-url-parse-problem.html
• https://security.netapp.com/advisory/ntap-20230324-0004/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://github.com/python/cpython/issues/102153
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://www.kb.cert.org/vuls/id/127587
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48560
• https://bugs.python.org/issue39421
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20230929-0008/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZ5OOBWNYWXFTZDMCGHJVGDLDTHLWITJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VO7Y2YZSDK3UYJD2KBGLXRTGNG6T326J/

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Remediation

Upgrade Ubuntu:16.04 sqlite3 to version 3.11.0-1ubuntu1.5+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-35737
• https://kb.cert.org/vuls/id/720344
• https://www.sqlite.org/cves.html
• https://sqlite.org/releaselog/3_39_2.html
• https://security.netapp.com/advisory/ntap-20220915-0009/
• https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
• https://security.gentoo.org/glsa/202210-40

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.

Remediation

Upgrade Ubuntu:16.04 sqlite3 to version 3.11.0-1ubuntu1.5+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-35525
• https://www.sqlite.org/src/info/a67cf5b7d37d5b14
• https://security.netapp.com/advisory/ntap-20230706-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7

Remediation

Upgrade Ubuntu:16.04 subversion to version 1.9.3-2ubuntu1.3+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-17525
• https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
• https://lists.debian.org/debian-lts-announce/2021/05/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Remediation

Upgrade Ubuntu:16.04 zlib to version 1:1.2.8.dfsg-2ubuntu4.3+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-25032
• https://www.openwall.com/lists/oss-security/2022/03/24/1
• https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
• http://www.openwall.com/lists/oss-security/2022/03/25/2
• http://www.openwall.com/lists/oss-security/2022/03/26/1
• https://www.openwall.com/lists/oss-security/2022/03/28/1
• https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
• https://www.openwall.com/lists/oss-security/2022/03/28/3
• https://github.com/madler/zlib/issues/605
• https://www.debian.org/security/2022/dsa-5111
• https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• https://security.netapp.com/advisory/ntap-20220526-0009/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
• https://security.gentoo.org/glsa/202210-42
• https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Remediation

Upgrade Ubuntu:16.04 openssl to version 1.0.2g-1ubuntu4.20+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3712
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
• https://security.netapp.com/advisory/ntap-20210827-0010/
• https://www.openssl.org/news/secadv/20210824.txt
• https://www.tenable.com/security/tns-2021-16
• https://www.debian.org/security/2021/dsa-4963
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html
• https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html
• http://www.openwall.com/lists/oss-security/2021/08/26/2
• https://kc.mcafee.com/corporate/index?page=content&id=SB10366
• https://www.tenable.com/security/tns-2022-02
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://security.gentoo.org/glsa/202209-02
• https://security.gentoo.org/glsa/202210-02
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Remediation

Upgrade Ubuntu:16.04 apr to version 1.5.2-3ubuntu0.1~esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-35940
• http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E
• https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
• https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E
• http://svn.apache.org/viewvc?view=revision&revision=1891198
• https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/08/23/1
• https://www.oracle.com/security-alerts/cpujul2022.html
• http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E
• https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Remediation

There is no fixed version for Ubuntu:16.04 openssh.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-51767
• https://arxiv.org/abs/2309.02545
• https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77
• https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878
• https://access.redhat.com/security/cve/CVE-2023-51767
• https://bugzilla.redhat.com/show_bug.cgi?id=2255850
• https://ubuntu.com/security/CVE-2023-51767
• https://security.netapp.com/advisory/ntap-20240125-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr-util package and not the apr-util package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer.

This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.

Remediation

Upgrade Ubuntu:16.04 apr-util to version 1.5.4-1ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-25147
• https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8
• https://security.netapp.com/advisory/ntap-20240315-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-46218
• https://curl.se/docs/CVE-2023-46218.html
• https://hackerone.com/reports/2212193
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
• https://www.debian.org/security/2023/dsa-5587
• https://security.netapp.com/advisory/ntap-20240125-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

Remediation

Upgrade Ubuntu:16.04 expat to version 2.1.0-7ubuntu0.16.04.5+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-25313
• https://github.com/libexpat/libexpat/pull/558
• http://www.openwall.com/lists/oss-security/2022/02/19/1
• https://www.debian.org/security/2022/dsa-5085
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• https://security.netapp.com/advisory/ntap-20220303-0008/
• https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg package and not the gnupg package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Remediation

Upgrade Ubuntu:16.04 gnupg to version 1.4.20-1ubuntu3.3+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-34903
• https://dev.gnupg.org/T6027
• https://bugs.debian.org/1014157
• https://www.openwall.com/lists/oss-security/2022/06/30/1
• http://www.openwall.com/lists/oss-security/2022/07/02/1
• https://www.debian.org/security/2022/dsa-5174
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPTAR76EIZY7NQFENSOZO7U473257OVZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VN63GBTMRWO36Y7BKA2WQHROAKCXKCBL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRLWJQ76A4UKHI3Q36BKSJKS4LFLQO33/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU64FUVG2PRZBSHFOQRSP7KDVEIZ23OS/
• https://security.netapp.com/advisory/ntap-20220826-0005/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRLWJQ76A4UKHI3Q36BKSJKS4LFLQO33/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPTAR76EIZY7NQFENSOZO7U473257OVZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VN63GBTMRWO36Y7BKA2WQHROAKCXKCBL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU64FUVG2PRZBSHFOQRSP7KDVEIZ23OS/

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.

Remediation

Upgrade Ubuntu:16.04 heimdal to version 1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3437
• https://www.samba.org/samba/security/CVE-2022-3437.html
• https://bugzilla.redhat.com/show_bug.cgi?id=2137774
• https://access.redhat.com/security/cve/CVE-2022-3437
• http://www.openwall.com/lists/oss-security/2023/02/08/1
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.gentoo.org/glsa/202309-06
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Remediation

Upgrade Ubuntu:16.04 krb5 to version 1.13.2+dfsg-5ubuntu2.2+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-36054
• https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
• https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
• https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
• https://web.mit.edu/kerberos/www/advisories/
• https://security.netapp.com/advisory/ntap-20230908-0004/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Ubuntu:16.04 ncurses to version 6.0+20160213-1ubuntu1+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-19189
• https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc5.md
• https://lists.debian.org/debian-lts-announce/2023/09/msg00033.html
• https://security.netapp.com/advisory/ntap-20231006-0005/
• https://support.apple.com/kb/HT214036
• https://support.apple.com/kb/HT214037
• https://support.apple.com/kb/HT214038
• http://seclists.org/fulldisclosure/2023/Dec/10
• http://seclists.org/fulldisclosure/2023/Dec/11
• http://seclists.org/fulldisclosure/2023/Dec/9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Remediation

Upgrade Ubuntu:16.04 openssh to version 1:7.2p2-4ubuntu2.10+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-51385
• https://www.openssh.com/txt/release-9.6
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
• https://www.debian.org/security/2023/dsa-5586
• https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• http://www.openwall.com/lists/oss-security/2023/12/26/4
• https://security.gentoo.org/glsa/202312-17
• https://security.netapp.com/advisory/ntap-20240105-0005/
• https://support.apple.com/kb/HT214084
• http://seclists.org/fulldisclosure/2024/Mar/21

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Remediation

Upgrade Ubuntu:16.04 openssl to version 1.0.2g-1ubuntu4.20+esm9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2650
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a
• https://www.openssl.org/news/secadv/20230530.txt
• http://www.openwall.com/lists/oss-security/2023/05/30/1
• https://www.debian.org/security/2023/dsa-5417
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009
• https://security.netapp.com/advisory/ntap-20230703-0001/
• https://security.netapp.com/advisory/ntap-20231027-0009/
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48564
• https://bugs.python.org/issue42103
• https://security.netapp.com/advisory/ntap-20230929-0009/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:16.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-27535
• https://hackerone.com/reports/1892780
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
• https://security.netapp.com/advisory/ntap-20230420-0010/
• https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
• https://security.gentoo.org/glsa/202310-12
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-22947
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
• https://hackerone.com/reports/1334763
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20211029-0003/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://support.apple.com/kb/HT213183
• http://seclists.org/fulldisclosure/2022/Mar/29
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.debian.org/security/2022/dsa-5197
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.gentoo.org/glsa/202212-01
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-32208
• https://hackerone.com/reports/1590071
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
• https://www.debian.org/security/2022/dsa-5197
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.netapp.com/advisory/ntap-20220915-0003/
• https://support.apple.com/kb/HT213488
• http://seclists.org/fulldisclosure/2022/Oct/41
• http://seclists.org/fulldisclosure/2022/Oct/28
• https://security.gentoo.org/glsa/202212-01
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

Remediation

Upgrade Ubuntu:16.04 curl to version 7.47.0-1ubuntu2.19+esm7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-43552
• https://hackerone.com/reports/1764858
• https://security.netapp.com/advisory/ntap-20230214-0002/
• https://support.apple.com/kb/HT213670
• http://seclists.org/fulldisclosure/2023/Mar/17
• https://security.gentoo.org/glsa/202310-12

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Remediation

There is no fixed version for Ubuntu:16.04 gnutls28.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-5981
• https://access.redhat.com/security/cve/CVE-2023-5981
• https://bugzilla.redhat.com/show_bug.cgi?id=2248445
• https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23
• https://access.redhat.com/errata/RHSA-2024:0155
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0319
• https://access.redhat.com/errata/RHSA-2024:0399
• https://access.redhat.com/errata/RHSA-2024:0451
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://access.redhat.com/errata/RHSA-2024:0533
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Remediation

Upgrade Ubuntu:16.04 libgcrypt20 to version 1.6.5-2ubuntu0.6+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-40528
• https://eprint.iacr.org/2021/923
• https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
• https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
• https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
• https://security.gentoo.org/glsa/202210-13
• https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f2e23e16adf3ed5176e0f2413d8861320

NVD Description

Note: Versions mentioned in the description apply only to the upstream mercurial package and not the mercurial package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Remediation

There is no fixed version for Ubuntu:16.04 mercurial.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3902
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3902
• https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html
• https://security-tracker.debian.org/tracker/CVE-2019-3902
• https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
• https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902
• https://usn.ubuntu.com/4086-1/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade Ubuntu:16.04 openssh to version 1:7.2p2-4ubuntu2.10+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-48795
• https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
• https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
• https://github.com/openssh/openssh-portable/commits/master
• https://github.com/ronf/asyncssh/tags
• https://gitlab.com/libssh/libssh-mirror/-/tags
• https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
• https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
• https://matt.ucc.asn.au/dropbear/CHANGES
• https://www.bitvise.com/ssh-server-version-history
• https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://www.openssh.com/openbsd.html
• https://www.openssh.com/txt/release-9.6
• https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
• https://www.terrapin-attack.com
• https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
• https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
• https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
• https://github.com/warp-tech/russh/releases/tag/v0.40.2
• https://thorntech.com/cve-2023-48795-and-sftp-gateway/
• https://twitter.com/TrueSkrillor/status/1736774389725565005
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• http://www.openwall.com/lists/oss-security/2023/12/18/3
• https://github.com/paramiko/paramiko/issues/2337
• https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
• https://news.ycombinator.com/item?id=38684904
• https://news.ycombinator.com/item?id=38685286
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
• https://github.com/mwiede/jsch/issues/457
• https://access.redhat.com/security/cve/cve-2023-48795
• https://bugs.gentoo.org/920280
• https://bugzilla.redhat.com/show_bug.cgi?id=2254210
• https://bugzilla.suse.com/show_bug.cgi?id=1217950
• https://github.com/advisories/GHSA-45x7-px36-x8w8
• https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
• https://github.com/erlang/otp/releases/tag/OTP-26.2.1
• https://github.com/mwiede/jsch/pull/461
• https://security-tracker.debian.org/tracker/CVE-2023-48795
• https://security-tracker.debian.org/tracker/source-package/libssh2
• https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
• https://ubuntu.com/security/CVE-2023-48795
• https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
• https://github.com/libssh2/libssh2/pull/1291
• https://forum.netgate.com/topic/184941/terrapin-ssh-attack
• https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
• https://github.com/rapier1/hpn-ssh/releases
• https://crates.io/crates/thrussh/versions
• https://github.com/NixOS/nixpkgs/pull/275249
• https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
• https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
• https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
• https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
• https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
• https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
• https://github.com/proftpd/proftpd/issues/456
• https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
• https://oryx-embedded.com/download/#changelog
• https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
• https://www.netsarang.com/en/xshell-update-history/
• https://www.paramiko.org/changelog.html
• http://www.openwall.com/lists/oss-security/2023/12/19/5
• https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
• https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
• http://www.openwall.com/lists/oss-security/2023/12/20/3
• https://github.com/apache/mina-sshd/issues/445
• https://github.com/hierynomus/sshj/issues/916
• https://github.com/janmojzis/tinyssh/issues/81
• https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
• https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
• https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
• https://www.openwall.com/lists/oss-security/2023/12/20/3
• http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• https://www.debian.org/security/2023/dsa-5586
• https://filezilla-project.org/versions.php
• https://github.com/PowerShell/Win32-OpenSSH/issues/2189
• https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
• https://github.com/cyd01/KiTTY/issues/520
• https://help.panic.com/releasenotes/transmit5/
• https://nova.app/releases/#v11.8
• https://roumenpetrov.info/secsh/#news20231220
• https://winscp.net/eng/docs/history#6.2.2
• https://www.bitvise.com/ssh-client-version-history#933
• https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
• https://www.theregister.com/2023/12/20/terrapin_attack_ssh
• https://www.vandyke.com/products/securecrt/history.txt
• https://www.debian.org/security/2023/dsa-5588
• https://github.com/ssh-mitm/ssh-mitm/issues/165
• https://news.ycombinator.com/item?id=38732005
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• https://security.gentoo.org/glsa/202312-16
• https://security.gentoo.org/glsa/202312-17
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/
• https://security.netapp.com/advisory/ntap-20240105-0004/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://support.apple.com/kb/HT214084
• http://seclists.org/fulldisclosure/2024/Mar/21
• https://github.com/projectdiscovery/nuclei-templates/blob/master/javascript/cves/2023/CVE-2023-48795.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Remediation

Upgrade Ubuntu:16.04 python2.7 to version 2.7.12-1ubuntu0~16.04.18+esm7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48566
• https://bugs.python.org/issue40791
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20231006-0013/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-5 package and not the gcc-5 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."

Remediation

There is no fixed version for Ubuntu:16.04 gcc-5.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13844
• http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions
• https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gccgo-6 package and not the gccgo-6 package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."

Remediation

There is no fixed version for Ubuntu:16.04 gccgo-6.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13844
• http://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/frequently-asked-questions
• https://gcc.gnu.org/pipermail/gcc-patches/2020-June/547520.html
• https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00039.html
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00040.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's $GIT_DIR/objects directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules option. Git does not create symbolic links in the $GIT_DIR/objects directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the --local optimization when on a shared machine, either by passing the --no-local option to git clone or cloning from a URL that uses the file:// scheme. Alternatively, avoid cloning repositories from untrusted sources with --recurse-submodules or run git config --global protocol.file.allow user.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-39253
• https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://support.apple.com/kb/HT213496
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• http://seclists.org/fulldisclosure/2022/Nov/1
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• http://www.openwall.com/lists/oss-security/2023/02/14/5
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMQWGMDLX6KTVWW5JZLVPI7ICAK72TN7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links, the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.

A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with --recurse-submodules. Instead, consider cloning repositories without recursively cloning their submodules, and instead run git submodule update at each layer. Before doing so, inspect each new .gitmodules file to ensure that it does not contain suspicious module URLs.

Remediation

Upgrade Ubuntu:16.04 git to version 1:2.7.4-0ubuntu1.10+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-22490
• https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
• https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
• https://github.com/git/git/security/advisories/GHSA-gw92-x3fm-3g3q
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

Remediation

Upgrade Ubuntu:16.04 libzstd to version 1.3.1+dfsg-1~ubuntu0.16.04.1+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-24031
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
• https://github.com/facebook/zstd/issues/1630
• https://www.facebook.com/security/advisories/cve-2021-24031

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

Remediation

Upgrade Ubuntu:16.04 pam to version 1.1.8-3.2ubuntu2.3+esm5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-22365
• http://www.openwall.com/lists/oss-security/2024/01/18/3
• https://github.com/linux-pam/linux-pam
• https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
• https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Remediation

Upgrade Ubuntu:16.04 systemd to version 229-4ubuntu21.31+esm3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3821
• https://github.com/systemd/systemd/issues/23928
• https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e
• https://github.com/systemd/systemd/pull/23933
• https://bugzilla.redhat.com/show_bug.cgi?id=2139327
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/
• https://security.gentoo.org/glsa/202305-15
• https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.