Ubuntu security

USN-4336-3: GNU binutils vulnerabilities USN-4336-1 fixed several vulnerabilities in GNU. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory details: It was discovered that GNU binutils contained a large number of security issues. If a user or automated system were tricked into processing a specially-crafted file, a remote attacker could cause GNU binutils to crash, resulting in a denial of service, or possibly execute arbitrary code. Source: USN-4336-3: GNU binutils vulnerabilities

USN-6279-1: OpenSSH update It was discovered that OpenSSH has an observable discrepancy leading to an information leak in the algorithm negotiation. This update mitigates the issue by tweaking the client hostkey preference ordering algorithm to prefer the default ordering if the user has a key that matches the best-preference default algorithm. Source: USN-6279-1: OpenSSH update

USN-6278-1: .NET vulnerabilities It was discovered that .NET did not properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution. (CVE-2023-35390) Benoit Foucher discovered that .NET did not properly implement the QUIC stream limit in HTTP/3. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-38178) It was discovered that .NET did not properly handle the disconnection of potentially malicious clients interfacing with a Kestrel server. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-38180) Source: USN-6278-1: .NET vulnerabilities

USN-6277-1: Dompdf vulnerabilities It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2014-5011, CVE-2014-5012, CVE-2014-5013) It was discovered that Dompdf was not properly validating processed HTML content that referenced PHAR files, which could result in the deserialization of untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2021-3838) It was discovered that Dompdf was not properly validating processed HTML content that referenced both a remote base and a local file, which could result in the bypass of a chroot check. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-2400) Source: USN-6277-1: Dompdf vulnerabilities

USN-6267-2: Firefox regressions USN-6267-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4058) Max Vlasov discovered that Firefox Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy. (CVE-2023-4045) Alexander Guryanov discovered that Firefox did not properly update the value of a global variable in WASM JIT analysis in some circumstances. An attacker could potentially exploit this issue to cause a [ more… ]