Ubuntu security

Ubuntu security notices

No Image

USN-5902-1: PHP vulnerabilities

2023-02-28 KENNETH 0

USN-5902-1: PHP vulnerabilities It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations. (CVE-2023-0567) It was discovered that PHP incorrectly handled resolving long paths. A remote attacker could possibly use this issue to obtain or modify sensitive information. (CVE-2023-0568) It was discovered that PHP incorrectly handled a large number of parts in HTTP form uploads. A remote attacker could possibly use this issue to cause PHP to consume resources, leading to a denial of service. (CVE-2023-0662) Source: USN-5902-1: PHP vulnerabilities

No Image

USN-5821-3: pip regression

2023-02-28 KENNETH 0

USN-5821-3: pip regression USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately, it was missing a commit to fix it properly in pip. We apologize for the inconvenience. Original advisory details: Sebastian Chnelik discovered that wheel incorrectly handled certain file names when validated against a regex expression. An attacker could possibly use this issue to cause a denial of service. Source: USN-5821-3: pip regression

No Image

USN-5901-1: GnuTLS vulnerability

2023-02-28 KENNETH 0

USN-5901-1: GnuTLS vulnerability Hubert Kario discovered that GnuTLS had a timing side-channel when handling certain RSA messages. A remote attacker could possibly use this issue to recover sensitive information. Source: USN-5901-1: GnuTLS vulnerability

No Image

USN-5899-1: AWStats vulnerability

2023-02-28 KENNETH 0

USN-5899-1: AWStats vulnerability It was discovered that AWStats did not properly sanitize the content of whois responses in the hostinfo plugin. An attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. Source: USN-5899-1: AWStats vulnerability

No Image

USN-5898-1: OpenJDK vulnerabilities

2023-02-28 KENNETH 0

USN-5898-1: OpenJDK vulnerabilities It was discovered that the Serialization component of OpenJDK did not properly handle the deserialization of some CORBA objects. An attacker could possibly use this to bypass Java sandbox restrictions. (CVE-2023-21830) Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not properly validate the origin of a Soundbank. An attacker could use this to specially craft an untrusted Java application or applet that could load a Soundbank from an attacker controlled remote URL. (CVE-2023-21843) Source: USN-5898-1: OpenJDK vulnerabilities