Tanzu Security RSS Feed https://tanzu.vmware.com/security Feed for Tanzu CVEs http://www.rssboard.org/rss-specification Thu, 28 Mar 2024 22:15:32 +0000 USN-6420-1: Vim vulnerabilities https://tanzu.vmware.com/security/usn-6420-1 medium VMware Tanzu <p>It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3235, CVE-2022-3278, CVE-2022-3297, CVE-2022-3491) It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3352, CVE-2022-4292) It was discovered that Vim incorrectly handled memory when replacing in virtualedit mode. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3234) It was discovered that Vim incorrectly handled memory when autocmd changes mark. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3256) It was discovered that Vim did not properly perform checks on array index with negative width window. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2022-3324) It was discovered that Vim did not properly perform checks on a put command column with a visual block. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3520) It was discovered that Vim incorrectly handled memory when using autocommand to open a window. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3591) It was discovered that Vim incorrectly handled memory when updating buffer of the component autocmd handler. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-3705) It was discovered that Vim incorrectly handled floating point comparison with incorrect operator. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. and Ubuntu 22.04 LTS. (CVE-2022-4293) Update Instructions: Run `sudo pro fix USN-6420-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim-common - 2:8.0.1453-1ubuntu1.13+esm5 vim-gnome - 2:8.0.1453-1ubuntu1.13+esm5 vim-athena - 2:8.0.1453-1ubuntu1.13+esm5 xxd - 2:8.0.1453-1ubuntu1.13+esm5 vim-gtk - 2:8.0.1453-1ubuntu1.13+esm5 vim-gui-common - 2:8.0.1453-1ubuntu1.13+esm5 vim - 2:8.0.1453-1ubuntu1.13+esm5 vim-doc - 2:8.0.1453-1ubuntu1.13+esm5 vim-tiny - 2:8.0.1453-1ubuntu1.13+esm5 vim-runtime - 2:8.0.1453-1ubuntu1.13+esm5 vim-gtk3 - 2:8.0.1453-1ubuntu1.13+esm5 vim-nox - 2:8.0.1453-1ubuntu1.13+esm5 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2022-3256, CVE-2022-3324, CVE-2022-3591, CVE-2022-3234, CVE-2022-3235, CVE-2022-3278, CVE-2022-3297, CVE-2022-3352, CVE-2022-3491, CVE-2022-3520, CVE-2022-3705, CVE-2022-4292, CVE-2022-4293</p> Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Isolation Segment 2.11.x versions prior to 2.11.41 2.13.x versions prior to 2.13.26 3.0.x versions prior to 3.0.19, or later versions with Jammy Stemcells prior to 1.260 4.0.x versions prior to 4.0.11+LTS-T, or later versions with Jammy Stemcells prior to 1.260 Operations Manager 3.0.x versions prior to 3.0.17+LTS-T Redis for Pivotal Platform 3.2.x versions with Jammy Stemcells prior to 1.260 3.3.x versions with Jammy Stemcells prior to 1.260 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47 2.13.x versions prior to 2.13.29 3.0.x versions prior to 3.0.19, or later versions with Jammy Stemcells prior to 1.260 4.0.x versions prior to 4.0.11+LTS-T, or later versions with Jammy Stemcells prior to 1.260 Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.41 2.13.26 3.0.19, and upgrade Jammy Stemcells to 1.260 or greater 4.0.11+LTS-T, and upgrade Jammy Stemcells to 1.260 or greater Operations Manager 3.0.17+LTS-T Redis for Pivotal Platform 3.2.x: Upgrade Jammy Stemcells to 1.260 or greater 3.3.x: Upgrade Jammy Stemcells to 1.260 or greater VMware Tanzu Application Service for VMs 2.11.47 2.13.29 3.0.19, and upgrade Jammy Stemcells to 1.260 or greater 4.0.11+LTS-T, and upgrade Jammy Stemcells to 1.260 or greater https://ubuntu.com/security/CVE-2022-3256 https://ubuntu.com/security/CVE-2022-3324 https://ubuntu.com/security/CVE-2022-3591 https://ubuntu.com/security/CVE-2022-3234 https://ubuntu.com/security/CVE-2022-3235 https://ubuntu.com/security/CVE-2022-3278 https://ubuntu.com/security/CVE-2022-3297 https://ubuntu.com/security/CVE-2022-3352 https://ubuntu.com/security/CVE-2022-3491 https://ubuntu.com/security/CVE-2022-3520 https://ubuntu.com/security/CVE-2022-3705 https://ubuntu.com/security/CVE-2022-4292 https://ubuntu.com/security/CVE-2022-4293 https://ubuntu.com/security/notices/USN-6420-1 https://cloudfoundry.org/blog/usn-6420-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6420-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6407-2: libx11 vulnerabilities https://tanzu.vmware.com/security/usn-6407-2 medium VMware Tanzu <p>USN-6407-1 fixed several vulnerabilities in libx11. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Gregory James Duck discovered that libx11 incorrectly handled certain keyboard symbols. If a user were tricked into connecting to a malicious X server, a remote attacker could use this issue to cause libx11 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-43785) Yair Mizrahi discovered that libx11 incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to consume memory, leading to a denial of service. (CVE-2023-43786) Yair Mizrahi discovered that libx11 incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could use this issue to cause libx11 to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2023-43787) Update Instructions: Run `sudo pro fix USN-6407-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libx11-6 - 2:1.6.3-1ubuntu2.2+esm4 libx11-data - 2:1.6.3-1ubuntu2.2+esm4 libx11-xcb-dev - 2:1.6.3-1ubuntu2.2+esm4 libx11-xcb1 - 2:1.6.3-1ubuntu2.2+esm4 libx11-doc - 2:1.6.3-1ubuntu2.2+esm4 libx11-dev - 2:1.6.3-1ubuntu2.2+esm4 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-43785, CVE-2023-43786, CVE-2023-43787</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Platform Automation Toolkit 4.0.x versions prior to 4.0.13 4.1.x versions prior to 4.1.13 4.2.x versions prior to 4.2.8 4.3.x versions prior to 4.3.5 Isolation Segment 2.11.x versions prior to 2.11.41 2.13.x versions prior to 2.13.26 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Operations Manager 2.7.x versions prior to 2.7.25 2.8.x versions prior to 2.8.16 2.9.x versions prior to 2.9.12 2.10.x versions prior to 2.10.3 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47 2.13.x versions prior to 2.13.29 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.0.13 4.1.13 4.2.8 4.3.5 Isolation Segment 2.11.41 2.13.26 3.0.19 4.0.11+LTS-T Operations Manager 2.7.25 2.8.16 2.9.12 2.10.3 VMware Tanzu Application Service for VMs 2.11.47 2.13.29 3.0.19 4.0.11+LTS-T https://ubuntu.com/security/CVE-2023-43785 https://ubuntu.com/security/CVE-2023-43786 https://ubuntu.com/security/CVE-2023-43787 https://ubuntu.com/security/notices/USN-6407-2 https://cloudfoundry.org/blog/usn-6407-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6407-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6413-1: GNU binutils vulnerabilities https://tanzu.vmware.com/security/usn-6413-1 medium VMware Tanzu <p>It was discovered that GNU binutils was not properly performing checks when dealing with memory allocation operations, which could lead to excessive memory consumption. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-17122, CVE-2017-8421) It was discovered that GNU binutils was not properly performing bounds checks when processing debug sections with objdump, which could lead to an overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2018-20671, CVE-2018-6543) It was discovered that GNU binutils contained a reachable assertion, which could lead to an intentional assertion failure when processing certain crafted DWARF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-35205) It was discovered that GNU binutils incorrectly handled memory management operations in several of its functions, which could lead to excessive memory consumption due to memory leaks. An attacker could possibly use these issues to cause a denial of service. (CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-47011) It was discovered that GNU binutils was not properly performing bounds checks when dealing with memory allocation operations, which could lead to excessive memory consumption. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-48063) Update Instructions: Run `sudo pro fix USN-6413-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: binutils-dev - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-powerpc-linux-gnuspe - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-arm-linux-gnueabihf - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-hppa64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-multiarch - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-mipsel-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-m68k-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-s390x-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-multiarch-dev - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-doc - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-sh4-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-mips64-linux-gnuabi64 - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-aarch64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-source - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-mips64el-linux-gnuabi64 - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-mips-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-powerpc64le-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-powerpc64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-hppa-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-sparc64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-arm-linux-gnueabi - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-alpha-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils-powerpc-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm9 binutils - 2.26.1-1ubuntu1~16.04.8+esm9 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2017-17122, CVE-2017-8421, CVE-2018-20671, CVE-2018-6543, CVE-2022-35205, CVE-2022-47007, CVE-2022-47008, CVE-2022-47010, CVE-2022-47011, CVE-2022-48063</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Platform Automation Toolkit 4.0.x versions prior to 4.0.13 4.1.x versions prior to 4.1.13 4.2.x versions prior to 4.2.8 4.3.x versions prior to 4.3.5 Isolation Segment 2.11.x versions prior to 2.11.41, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.26, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Operations Manager 2.10.x versions prior to 2.10.65 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.29, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.0.13 4.1.13 4.2.8 4.3.5 Isolation Segment 2.11.41, and upgrade Xenial Stemcells to 621.730 or greater 2.13.26, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T Operations Manager 2.10.65 VMware Tanzu Application Service for VMs 2.11.47, and upgrade Xenial Stemcells to 621.730 or greater 2.13.29, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20671 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6543 https://ubuntu.com/security/CVE-2022-35205 https://ubuntu.com/security/CVE-2022-47007 https://ubuntu.com/security/CVE-2022-47008 https://ubuntu.com/security/CVE-2022-47010 https://ubuntu.com/security/CVE-2022-47011 https://ubuntu.com/security/CVE-2022-48063 https://ubuntu.com/security/notices/USN-6413-1 https://cloudfoundry.org/blog/usn-6413-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6413-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6421-1: Bind vulnerability https://tanzu.vmware.com/security/usn-6421-1 medium VMware Tanzu <p>It was discovered that Bind incorrectly handled certain control channel messages. A remote attacker with access to the control channel could possibly use this issue to cause Bind to crash, resulting in a denial of service. Update Instructions: Run `sudo pro fix USN-6421-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libisc160 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisccc-export140-udeb - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libdns162 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libbind-dev - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libbind9-140 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisccc-export140 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisccfg-export140 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 bind9 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisc-export160 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 bind9-doc - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libbind-export-dev - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisccc140 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 host - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libisccfg140 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 bind9-host - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 dnsutils - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libdns-export162 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 bind9utils - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 liblwres141 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libirs141 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 libirs-export141 - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 lwresd - 1:9.10.3.dfsg.P4-8ubuntu1.19+esm7 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-3341</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Isolation Segment 2.11.x versions prior to 2.11.41, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.26, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Operations Manager 2.10.x versions prior to 2.10.65 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.29, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.41, and upgrade Xenial Stemcells to 621.730 or greater 2.13.26, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T Operations Manager 2.10.65 VMware Tanzu Application Service for VMs 2.11.47, and upgrade Xenial Stemcells to 621.730 or greater 2.13.29, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T https://ubuntu.com/security/CVE-2023-3341 https://ubuntu.com/security/notices/USN-6421-1 https://cloudfoundry.org/blog/usn-6421-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6421-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6394-2: Python vulnerability https://tanzu.vmware.com/security/usn-6394-2 medium VMware Tanzu <p>USN-6394-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that Python incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update Instructions: Run `sudo pro fix USN-6394-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libpython2.7-minimal - 2.7.12-1ubuntu0~16.04.18+esm8 libpython2.7 - 2.7.12-1ubuntu0~16.04.18+esm8 python2.7 - 2.7.12-1ubuntu0~16.04.18+esm8 python2.7-dev - 2.7.12-1ubuntu0~16.04.18+esm8 libpython2.7-testsuite - 2.7.12-1ubuntu0~16.04.18+esm8 libpython2.7-dev - 2.7.12-1ubuntu0~16.04.18+esm8 python2.7-minimal - 2.7.12-1ubuntu0~16.04.18+esm8 idle-python2.7 - 2.7.12-1ubuntu0~16.04.18+esm8 python2.7-doc - 2.7.12-1ubuntu0~16.04.18+esm8 python2.7-examples - 2.7.12-1ubuntu0~16.04.18+esm8 libpython2.7-stdlib - 2.7.12-1ubuntu0~16.04.18+esm8 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2022-48560</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Platform Automation Toolkit 4.0.x versions prior to 4.0.13 4.1.x versions prior to 4.1.13 4.2.x versions prior to 4.2.8 4.3.x versions prior to 4.3.5 Isolation Segment 2.11.x versions prior to 2.11.42 2.13.x versions prior to 2.13.27 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Operations Manager 2.10.x versions prior to 2.10.50 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48 2.13.x versions prior to 2.13.30 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.0.13 4.1.13 4.2.8 4.3.5 Isolation Segment 2.11.42 2.13.27 3.0.20 4.0.12+LTS-T Operations Manager 2.10.50 VMware Tanzu Application Service for VMs 2.11.48 2.13.30 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2022-48560 https://ubuntu.com/security/notices/USN-6394-2 https://cloudfoundry.org/blog/usn-6394-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6394-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6430-1: FFmpeg vulnerabilities https://tanzu.vmware.com/security/usn-6430-1 medium VMware Tanzu <p>It was discovered that FFmpeg did not properly handle certain inputs in vf_lagfun.c, resulting in a buffer overflow vulnerability. An attacker could possibly use this issue to cause a denial of service via application crash. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-22024) It was discovered that FFmpeg incorrectly managed memory in avienc.c, resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. (CVE-2020-22039) It was discovered that FFmpeg incorrectly handled certain files due to a memory leak in frame.c. An attacker could possibly use this issue to cause a denial of service via application crash. This issue affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-22040) It was discovered that FFmpeg incorrectly handled certain files due to a memory leak in fifo.c. An attacker could possibly use this issue to cause a denial of service via application crash. (CVE-2020-22043) It was discovered that FFmpeg incorrectly handled certain files due to a memory leak in vf_tile.c. If a user or automated system were tricked into processing a specially crafted MOV file, an attacker could possibly use this issue to cause a denial of service. (CVE-2020-22051) It was discovered that FFmpeg incorrectly handled certain MOV files in timecode.c, leading to an integer overflow. An attacker could possibly use this issue to cause a denial of service using a crafted MOV file. This issue only affected Ubuntu 16.04 LTS. (CVE-2021-28429) Update Instructions: Run `sudo pro fix USN-6430-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libavresample-dev - 7:2.8.17-0ubuntu0.1+esm6 libswresample-ffmpeg1 - 7:2.8.17-0ubuntu0.1+esm6 libavresample-ffmpeg2 - 7:2.8.17-0ubuntu0.1+esm6 libavcodec-extra - 7:2.8.17-0ubuntu0.1+esm6 libswscale-ffmpeg3 - 7:2.8.17-0ubuntu0.1+esm6 libavcodec-dev - 7:2.8.17-0ubuntu0.1+esm6 libavutil-dev - 7:2.8.17-0ubuntu0.1+esm6 libavfilter-ffmpeg5 - 7:2.8.17-0ubuntu0.1+esm6 libpostproc-ffmpeg53 - 7:2.8.17-0ubuntu0.1+esm6 libavcodec-ffmpeg56 - 7:2.8.17-0ubuntu0.1+esm6 libswscale-dev - 7:2.8.17-0ubuntu0.1+esm6 libavformat-ffmpeg56 - 7:2.8.17-0ubuntu0.1+esm6 libswresample-dev - 7:2.8.17-0ubuntu0.1+esm6 libavdevice-dev - 7:2.8.17-0ubuntu0.1+esm6 libavcodec-ffmpeg-extra56 - 7:2.8.17-0ubuntu0.1+esm6 libavfilter-dev - 7:2.8.17-0ubuntu0.1+esm6 libpostproc-dev - 7:2.8.17-0ubuntu0.1+esm6 libavformat-dev - 7:2.8.17-0ubuntu0.1+esm6 ffmpeg - 7:2.8.17-0ubuntu0.1+esm6 libavutil-ffmpeg54 - 7:2.8.17-0ubuntu0.1+esm6 ffmpeg-doc - 7:2.8.17-0ubuntu0.1+esm6 libav-tools - 7:2.8.17-0ubuntu0.1+esm6 libavdevice-ffmpeg56 - 7:2.8.17-0ubuntu0.1+esm6 Available with Ubuntu Pro: https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2020-22040, CVE-2020-22024, CVE-2020-22039, CVE-2020-22043, CVE-2020-22051, CVE-2021-28429</p> Canonical Ubuntu 18.04 Isolation Segment 2.11.x versions prior to 2.11.42 2.13.x versions prior to 2.13.27 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48 2.13.x versions prior to 2.13.30 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.42 2.13.27 3.0.20 4.0.12+LTS-T VMware Tanzu Application Service for VMs 2.11.48 2.13.30 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2020-22040 https://ubuntu.com/security/CVE-2020-22024 https://ubuntu.com/security/CVE-2020-22039 https://ubuntu.com/security/CVE-2020-22043 https://ubuntu.com/security/CVE-2020-22051 https://ubuntu.com/security/CVE-2021-28429 https://ubuntu.com/security/notices/USN-6430-1 https://cloudfoundry.org/blog/usn-6430-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6430-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6408-2: libXpm vulnerabilities https://tanzu.vmware.com/security/usn-6408-2 medium VMware Tanzu <p>USN-6408-1 fixed several vulnerabilities in libXpm. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Yair Mizrahi discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to consume memory, leading to a denial of service. (CVE-2023-43786) Yair Mizrahi discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could use this issue to cause libXpm to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2023-43787) Alan Coopersmith discovered that libXpm incorrectly handled certain malformed XPM image files. If a user were tricked into opening a specially crafted XPM image file, a remote attacker could possibly use this issue to cause libXpm to crash, leading to a denial of service. (CVE-2023-43788, CVE-2023-43789) Update Instructions: Run `sudo pro fix USN-6408-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xpmutils - 1:3.5.11-1ubuntu0.16.04.1+esm2 libxpm-dev - 1:3.5.11-1ubuntu0.16.04.1+esm2 libxpm4 - 1:3.5.11-1ubuntu0.16.04.1+esm2 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-43786, CVE-2023-43787, CVE-2023-43788, CVE-2023-43789</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Isolation Segment 2.11.x versions prior to 2.11.42 2.13.x versions prior to 2.13.27 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Operations Manager 2.7.x versions prior to 2.7.25 2.8.x versions prior to 2.8.16 2.9.x versions prior to 2.9.12 2.10.x versions prior to 2.10.3 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48 2.13.x versions prior to 2.13.30 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.42 2.13.27 3.0.20 4.0.12+LTS-T Operations Manager 2.7.25 2.8.16 2.9.12 2.10.3 VMware Tanzu Application Service for VMs 2.11.48 2.13.30 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2023-43786 https://ubuntu.com/security/CVE-2023-43787 https://ubuntu.com/security/CVE-2023-43788 https://ubuntu.com/security/CVE-2023-43789 https://ubuntu.com/security/notices/USN-6408-2 https://cloudfoundry.org/blog/usn-6408-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6408-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6452-1: Vim vulnerabilities https://tanzu.vmware.com/security/usn-6452-1 medium VMware Tanzu <p>It was discovered that Vim could be made to divide by zero. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04. (CVE-2023-3896) It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2023-4733, CVE-2023-4750) It was discovered that Vim contained an arithmetic overflow. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-4734) It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2023-4735, CVE-2023-5344) It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 23.04 and Ubuntu 23.10. (CVE-2023-4738) It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-4751) It was discovered that Vim did not properly manage memory. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-4752, CVE-2023-5535) It was discovered that Vim could be made to write out of bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-4781) It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-5441) Update Instructions: Run `sudo pro fix USN-6452-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim-common - 2:7.4.1689-3ubuntu1.5+esm20 vim-nox-py2 - 2:7.4.1689-3ubuntu1.5+esm20 vim-gnome - 2:7.4.1689-3ubuntu1.5+esm20 vim-athena-py2 - 2:7.4.1689-3ubuntu1.5+esm20 vim-athena - 2:7.4.1689-3ubuntu1.5+esm20 vim-gtk - 2:7.4.1689-3ubuntu1.5+esm20 vim-gui-common - 2:7.4.1689-3ubuntu1.5+esm20 vim - 2:7.4.1689-3ubuntu1.5+esm20 vim-gtk3-py2 - 2:7.4.1689-3ubuntu1.5+esm20 vim-doc - 2:7.4.1689-3ubuntu1.5+esm20 vim-gtk-py2 - 2:7.4.1689-3ubuntu1.5+esm20 vim-tiny - 2:7.4.1689-3ubuntu1.5+esm20 vim-gnome-py2 - 2:7.4.1689-3ubuntu1.5+esm20 vim-gtk3 - 2:7.4.1689-3ubuntu1.5+esm20 vim-nox - 2:7.4.1689-3ubuntu1.5+esm20 vim-runtime - 2:7.4.1689-3ubuntu1.5+esm20 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-3896, CVE-2023-4733, CVE-2023-4734, CVE-2023-4735, CVE-2023-4738, CVE-2023-4750, CVE-2023-4751, CVE-2023-4752, CVE-2023-4781, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Isolation Segment 2.11.x versions prior to 2.11.42, or later versions with Xenial Stemcells prior to 621.753 2.13.x versions prior to 2.13.27, or later versions with Xenial Stemcells prior to 621.753 3.0.x versions prior to 3.0.20, or later versions with Jammy Stemcells prior to 1.289 4.0.x versions prior to 4.0.12+LTS-T, or later versions with Jammy Stemcells prior to 1.289 Operations Manager 2.10.x versions prior to 2.10.66 3.0.x versions prior to 3.0.19+LTS-T Redis for Pivotal Platform 3.2.x versions with Jammy Stemcells prior to 1.289 3.3.x versions with Jammy Stemcells prior to 1.289 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48, or later versions with Xenial Stemcells prior to 621.753 2.13.x versions prior to 2.13.30, or later versions with Xenial Stemcells prior to 621.753 3.0.x versions prior to 3.0.20, or later versions with Jammy Stemcells prior to 1.289 4.0.x versions prior to 4.0.12+LTS-T, or later versions with Jammy Stemcells prior to 1.289 Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.42, and upgrade Xenial Stemcells to 621.753 or greater 2.13.27, and upgrade Xenial Stemcells to 621.753 or greater 3.0.20, and upgrade Jammy Stemcells to 1.289 or greater 4.0.12+LTS-T, and upgrade Jammy Stemcells to 1.289 or greater Operations Manager 2.10.66 3.0.19+LTS-T Redis for Pivotal Platform 3.2.x: Upgrade Jammy Stemcells to 1.289 or greater 3.3.x: Upgrade Jammy Stemcells to 1.289 or greater VMware Tanzu Application Service for VMs 2.11.48, and upgrade Xenial Stemcells to 621.753 or greater 2.13.30, and upgrade Xenial Stemcells to 621.753 or greater 3.0.20, and upgrade Jammy Stemcells to 1.289 or greater 4.0.12+LTS-T, and upgrade Jammy Stemcells to 1.289 or greater https://ubuntu.com/security/CVE-2023-3896 https://ubuntu.com/security/CVE-2023-4733 https://ubuntu.com/security/CVE-2023-4734 https://ubuntu.com/security/CVE-2023-4735 https://ubuntu.com/security/CVE-2023-4738 https://ubuntu.com/security/CVE-2023-4750 https://ubuntu.com/security/CVE-2023-4751 https://ubuntu.com/security/CVE-2023-4752 https://ubuntu.com/security/CVE-2023-4781 https://ubuntu.com/security/CVE-2023-5344 https://ubuntu.com/security/CVE-2023-5441 https://ubuntu.com/security/CVE-2023-5535 https://ubuntu.com/security/notices/USN-6452-1 https://cloudfoundry.org/blog/usn-6452-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6452-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6400-1: Python vulnerability https://tanzu.vmware.com/security/usn-6400-1 medium VMware Tanzu <p>It was discovered that Python did not properly provide constant-time processing for a crypto operation. An attacker could possibly use this issue to perform a timing attack and recover sensitive information. Update Instructions: Run `sudo pro fix USN-6400-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python2.7-dev - 2.7.12-1ubuntu0~16.04.18+esm7 python2.7-doc - 2.7.12-1ubuntu0~16.04.18+esm7 libpython2.7-stdlib - 2.7.12-1ubuntu0~16.04.18+esm7 libpython2.7-minimal - 2.7.12-1ubuntu0~16.04.18+esm7 libpython2.7 - 2.7.12-1ubuntu0~16.04.18+esm7 libpython2.7-testsuite - 2.7.12-1ubuntu0~16.04.18+esm7 python2.7 - 2.7.12-1ubuntu0~16.04.18+esm7 idle-python2.7 - 2.7.12-1ubuntu0~16.04.18+esm7 python2.7-examples - 2.7.12-1ubuntu0~16.04.18+esm7 libpython2.7-dev - 2.7.12-1ubuntu0~16.04.18+esm7 python2.7-minimal - 2.7.12-1ubuntu0~16.04.18+esm7 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro libpython3.5-stdlib - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5-venv - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5-doc - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5-dev - 3.5.2-2ubuntu0~16.04.13+esm11 libpython3.5-dev - 3.5.2-2ubuntu0~16.04.13+esm11 libpython3.5-minimal - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5 - 3.5.2-2ubuntu0~16.04.13+esm11 idle-python3.5 - 3.5.2-2ubuntu0~16.04.13+esm11 libpython3.5-testsuite - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5-examples - 3.5.2-2ubuntu0~16.04.13+esm11 python3.5-minimal - 3.5.2-2ubuntu0~16.04.13+esm11 libpython3.5 - 3.5.2-2ubuntu0~16.04.13+esm11 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2022-48566</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Platform Automation Toolkit 4.0.x versions prior to 4.0.13 4.1.x versions prior to 4.1.13 4.2.x versions prior to 4.2.8 4.3.x versions prior to 4.3.5 Isolation Segment 2.11.x versions prior to 2.11.40, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.25, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.18 4.0.x versions prior to 4.0.10+LTS-T Operations Manager 2.10.x versions prior to 2.10.65 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.46, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.28, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.18 4.0.x versions prior to 4.0.10+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.0.13 4.1.13 4.2.8 4.3.5 Isolation Segment 2.11.40, and upgrade Xenial Stemcells to 621.730 or greater 2.13.25, and upgrade Xenial Stemcells to 621.730 or greater 3.0.18 4.0.10+LTS-T Operations Manager 2.10.65 VMware Tanzu Application Service for VMs 2.11.46, and upgrade Xenial Stemcells to 621.730 or greater 2.13.28, and upgrade Xenial Stemcells to 621.730 or greater 3.0.18 4.0.10+LTS-T https://ubuntu.com/security/CVE-2022-48566 https://ubuntu.com/security/notices/USN-6400-1 https://cloudfoundry.org/blog/usn-6400-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6400-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6403-2: libvpx vulnerabilities https://tanzu.vmware.com/security/usn-6403-2 medium VMware Tanzu <p>USN-6403-1 fixed several vulnerabilities in libvpx. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: It was discovered that libvpx did not properly handle certain malformed media files. If an application using libvpx opened a specially crafted file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. Update Instructions: Run `sudo pro fix USN-6403-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvpx-dev - 1.7.0-3ubuntu0.18.04.1+esm1 vpx-tools - 1.7.0-3ubuntu0.18.04.1+esm1 libvpx-doc - 1.7.0-3ubuntu0.18.04.1+esm1 libvpx5 - 1.7.0-3ubuntu0.18.04.1+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-44488, CVE-2023-5217</p> Canonical Ubuntu 18.04 Isolation Segment 2.11.x versions prior to 2.11.42 2.13.x versions prior to 2.13.27 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48 2.13.x versions prior to 2.13.30 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.42 2.13.27 3.0.20 4.0.12+LTS-T VMware Tanzu Application Service for VMs 2.11.48 2.13.30 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2023-44488 https://ubuntu.com/security/CVE-2023-5217 https://ubuntu.com/security/notices/USN-6403-2 https://cloudfoundry.org/blog/usn-6403-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6403-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6428-1: LibTIFF vulnerability https://tanzu.vmware.com/security/usn-6428-1 low VMware Tanzu <p>It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service. Update Instructions: Run `sudo pro fix USN-6428-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.0.6-1ubuntu0.8+esm13 libtiffxx5 - 4.0.6-1ubuntu0.8+esm13 libtiff5-dev - 4.0.6-1ubuntu0.8+esm13 libtiff5 - 4.0.6-1ubuntu0.8+esm13 libtiff-tools - 4.0.6-1ubuntu0.8+esm13 libtiff-doc - 4.0.6-1ubuntu0.8+esm13 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-1916</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Isolation Segment 2.11.x versions prior to 2.11.41 2.13.x versions prior to 2.13.26 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Operations Manager 2.7.x versions prior to 2.7.25 2.8.x versions prior to 2.8.16 2.9.x versions prior to 2.9.12 2.10.x versions prior to 2.10.3 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47 2.13.x versions prior to 2.13.29 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.11.41 2.13.26 3.0.19 4.0.11+LTS-T Operations Manager 2.7.25 2.8.16 2.9.12 2.10.3 VMware Tanzu Application Service for VMs 2.11.47 2.13.29 3.0.19 4.0.11+LTS-T https://ubuntu.com/security/CVE-2023-1916 https://ubuntu.com/security/notices/USN-6428-1 https://cloudfoundry.org/blog/usn-6428-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6428-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6288-2: MySQL vulnerability https://tanzu.vmware.com/security/usn-6288-2 medium VMware Tanzu <p>USN-6288-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.7.43 in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-43.html https://www.oracle.com/security-alerts/cpujul2023.html Update Instructions: Run `sudo pro fix USN-6288-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mysql-client - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-source-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 libmysqlclient-dev - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-client-core-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-client-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 libmysqlclient20 - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-server-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-common - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-server - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-server-core-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-testsuite - 5.7.43-0ubuntu0.16.04.1+esm1 libmysqld-dev - 5.7.43-0ubuntu0.16.04.1+esm1 mysql-testsuite-5.7 - 5.7.43-0ubuntu0.16.04.1+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-22053</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Isolation Segment Only unsupported release lines of this product are affected Operations Manager 2.10.x versions prior to 2.10.65 VMware Tanzu Application Service for VMs 2.3.x versions prior to 2.3.3 Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 2.3.0 2.4.0 2.5.0 2.6.0 2.7.0 2.8.0 2.9.0 2.10.0 2.11.0 2.12.0 2.13.0 3.0.0 4.0.0+LTS-T Operations Manager 2.10.65 VMware Tanzu Application Service for VMs 2.3.3 2.4.0 2.5.0 2.6.0 2.7.0 2.8.0 2.9.0 2.10.0 2.11.0 2.12.0 2.13.0 3.0.0 4.0.0+LTS-T https://ubuntu.com/security/CVE-2023-22053 https://ubuntu.com/security/notices/USN-6288-2 https://cloudfoundry.org/blog/usn-6288-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6288-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6429-2: curl vulnerability https://tanzu.vmware.com/security/usn-6429-2 low VMware Tanzu <p>USN-6429-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections. (CVE-2023-38546) Update Instructions: Run `sudo pro fix USN-6429-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libcurl4-gnutls-dev - 7.47.0-1ubuntu2.19+esm10 libcurl4-openssl-dev - 7.47.0-1ubuntu2.19+esm10 libcurl3-gnutls - 7.47.0-1ubuntu2.19+esm10 libcurl4-doc - 7.47.0-1ubuntu2.19+esm10 libcurl3-nss - 7.47.0-1ubuntu2.19+esm10 libcurl4-nss-dev - 7.47.0-1ubuntu2.19+esm10 libcurl3 - 7.47.0-1ubuntu2.19+esm10 curl - 7.47.0-1ubuntu2.19+esm10 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-38546</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Platform Automation Toolkit 4.4.x versions prior to 4.4.32 5.0.x versions prior to 5.0.25 5.1.x versions prior to 5.1.2 Isolation Segment 2.11.x versions prior to 2.11.41, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.26, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Operations Manager 2.10.x versions prior to 2.10.63 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.47, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.29, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.19 4.0.x versions prior to 4.0.11+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.4.32 5.0.25 5.1.2 Isolation Segment 2.11.41, and upgrade Xenial Stemcells to 621.730 or greater 2.13.26, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T Operations Manager 2.10.63 VMware Tanzu Application Service for VMs 2.11.47, and upgrade Xenial Stemcells to 621.730 or greater 2.13.29, and upgrade Xenial Stemcells to 621.730 or greater 3.0.19 4.0.11+LTS-T https://ubuntu.com/security/CVE-2023-38546 https://ubuntu.com/security/notices/USN-6429-2 https://cloudfoundry.org/blog/usn-6429-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6429-2 Mon, 04 Dec 2023 00:00:00 +0000 USN-6467-1: Kerberos vulnerability https://tanzu.vmware.com/security/usn-6467-1 medium VMware Tanzu <p>Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service. Update Instructions: Run `sudo pro fix USN-6467-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libkadm5srv-mit9 - 1.13.2+dfsg-5ubuntu2.2+esm4 libk5crypto3 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-user - 1.13.2+dfsg-5ubuntu2.2+esm4 libgssrpc4 - 1.13.2+dfsg-5ubuntu2.2+esm4 libkrb5support0 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-doc - 1.13.2+dfsg-5ubuntu2.2+esm4 libkrb5-dev - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-pkinit - 1.13.2+dfsg-5ubuntu2.2+esm4 libkrb5-3 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-kdc-ldap - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-otp - 1.13.2+dfsg-5ubuntu2.2+esm4 libkadm5clnt-mit9 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-gss-samples - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-multidev - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-locales - 1.13.2+dfsg-5ubuntu2.2+esm4 libgssapi-krb5-2 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-kdc - 1.13.2+dfsg-5ubuntu2.2+esm4 libkrad-dev - 1.13.2+dfsg-5ubuntu2.2+esm4 libkdb5-8 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-k5tls - 1.13.2+dfsg-5ubuntu2.2+esm4 libkrad0 - 1.13.2+dfsg-5ubuntu2.2+esm4 krb5-admin-server - 1.13.2+dfsg-5ubuntu2.2+esm4 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-36054</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Platform Automation Toolkit 4.4.x versions prior to 4.4.32 5.0.x versions prior to 5.0.25 5.1.x versions prior to 5.1.2 Isolation Segment 2.11.x versions prior to 2.11.42, or later versions with Xenial Stemcells prior to 621.753 2.13.x versions prior to 2.13.27, or later versions with Xenial Stemcells prior to 621.753 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Operations Manager 2.10.x versions prior to 2.10.66 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48, or later versions with Xenial Stemcells prior to 621.753 2.13.x versions prior to 2.13.30, or later versions with Xenial Stemcells prior to 621.753 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.4.32 5.0.25 5.1.2 Isolation Segment 2.11.42, and upgrade Xenial Stemcells to 621.753 or greater 2.13.27, and upgrade Xenial Stemcells to 621.753 or greater 3.0.20 4.0.12+LTS-T Operations Manager 2.10.66 VMware Tanzu Application Service for VMs 2.11.48, and upgrade Xenial Stemcells to 621.753 or greater 2.13.30, and upgrade Xenial Stemcells to 621.753 or greater 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2023-36054 https://ubuntu.com/security/notices/USN-6467-1 https://cloudfoundry.org/blog/usn-6467-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6467-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6459-1: MySQL vulnerabilities https://tanzu.vmware.com/security/usn-6459-1 medium VMware Tanzu <p>Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.35 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-35.html https://www.oracle.com/security-alerts/cpuoct2023.html Update Instructions: Run `sudo pro fix USN-6459-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mysql-client - 8.0.35-0ubuntu0.20.04.1 libmysqlclient-dev - 8.0.35-0ubuntu0.20.04.1 mysql-testsuite-8.0 - 8.0.35-0ubuntu0.20.04.1 mysql-router - 8.0.35-0ubuntu0.20.04.1 mysql-server - 8.0.35-0ubuntu0.20.04.1 libmysqlclient21 - 8.0.35-0ubuntu0.20.04.1 mysql-client-core-8.0 - 8.0.35-0ubuntu0.20.04.1 mysql-server-core-8.0 - 8.0.35-0ubuntu0.20.04.1 mysql-server-8.0 - 8.0.35-0ubuntu0.20.04.1 mysql-testsuite - 8.0.35-0ubuntu0.20.04.1 mysql-client-8.0 - 8.0.35-0ubuntu0.20.04.1 mysql-source-8.0 - 8.0.35-0ubuntu0.20.04.1 No subscription required</p><p>CVEs contained in this USN include: CVE-2023-22032, CVE-2023-22059, CVE-2023-22064, CVE-2023-22066, CVE-2023-22068, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22084, CVE-2023-22092, CVE-2023-22097, CVE-2023-22103, CVE-2023-22112, CVE-2023-22114</p> Canonical Ubuntu 22.04 Operations Manager 3.0.x versions prior to 3.0.19+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Operations Manager 3.0.19+LTS-T https://ubuntu.com/security/CVE-2023-22032 https://ubuntu.com/security/CVE-2023-22059 https://ubuntu.com/security/CVE-2023-22064 https://ubuntu.com/security/CVE-2023-22066 https://ubuntu.com/security/CVE-2023-22068 https://ubuntu.com/security/CVE-2023-22070 https://ubuntu.com/security/CVE-2023-22078 https://ubuntu.com/security/CVE-2023-22079 https://ubuntu.com/security/CVE-2023-22084 https://ubuntu.com/security/CVE-2023-22092 https://ubuntu.com/security/CVE-2023-22097 https://ubuntu.com/security/CVE-2023-22103 https://ubuntu.com/security/CVE-2023-22112 https://ubuntu.com/security/CVE-2023-22114 https://ubuntu.com/security/notices/USN-6459-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6459-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6403-3: libvpx vulnerabilities https://tanzu.vmware.com/security/usn-6403-3 medium VMware Tanzu <p>USN-6403-1 fixed several vulnerabilities in libvpx. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: It was discovered that libvpx did not properly handle certain malformed media files. If an application using libvpx opened a specially crafted file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. Update Instructions: Run `sudo pro fix USN-6403-3` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvpx-dev - 1.5.0-2ubuntu1.1+esm2 vpx-tools - 1.5.0-2ubuntu1.1+esm2 libvpx-doc - 1.5.0-2ubuntu1.1+esm2 libvpx3 - 1.5.0-2ubuntu1.1+esm2 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-44488, CVE-2023-5217</p> Canonical Ubuntu 16.04 Operations Manager 2.7.x versions prior to 2.7.25 2.8.x versions prior to 2.8.16 2.9.x versions prior to 2.9.12 2.10.x versions prior to 2.10.3 Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Operations Manager 2.7.25 2.8.16 2.9.12 2.10.3 https://ubuntu.com/security/CVE-2023-44488 https://ubuntu.com/security/CVE-2023-5217 https://ubuntu.com/security/notices/USN-6403-3 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6403-3 Mon, 04 Dec 2023 00:00:00 +0000 USN-6390-1: Bind vulnerabilities https://tanzu.vmware.com/security/usn-6390-1 medium VMware Tanzu <p>It was discovered that Bind incorrectly handled certain control channel messages. A remote attacker with access to the control channel could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2023-3341) Robert Story discovered that Bind incorrectly handled certain DNS-over-TLS queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-4236) Update Instructions: Run `sudo pro fix USN-6390-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsutils - 1:9.18.12-0ubuntu0.22.04.3 bind9-libs - 1:9.18.12-0ubuntu0.22.04.3 bind9utils - 1:9.18.12-0ubuntu0.22.04.3 bind9-dev - 1:9.18.12-0ubuntu0.22.04.3 bind9-doc - 1:9.18.12-0ubuntu0.22.04.3 bind9-utils - 1:9.18.12-0ubuntu0.22.04.3 bind9 - 1:9.18.12-0ubuntu0.22.04.3 bind9-dnsutils - 1:9.18.12-0ubuntu0.22.04.3 bind9-host - 1:9.18.12-0ubuntu0.22.04.3 No subscription required</p><p>CVEs contained in this USN include: CVE-2023-3341, CVE-2023-4236</p> Canonical Ubuntu 22.04 Isolation Segment 3.0.x versions prior to 3.0.18, or later versions with Jammy Stemcells prior to 1.250 4.0.x versions prior to 4.0.10+LTS-T, or later versions with Jammy Stemcells prior to 1.250 Operations Manager 3.0.x versions prior to 3.0.17+LTS-T Redis for Pivotal Platform 3.2.x versions with Jammy Stemcells prior to 1.250 3.3.x versions with Jammy Stemcells prior to 1.250 VMware Tanzu Application Service for VMs 3.0.x versions prior to 3.0.18, or later versions with Jammy Stemcells prior to 1.250 4.0.x versions prior to 4.0.10+LTS-T, or later versions with Jammy Stemcells prior to 1.250 Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Isolation Segment 3.0.18, and upgrade Jammy Stemcells to 1.250 or greater 4.0.10+LTS-T, and upgrade Jammy Stemcells to 1.250 or greater Operations Manager 3.0.17+LTS-T Redis for Pivotal Platform 3.2.x: Upgrade Jammy Stemcells to 1.250 or greater 3.3.x: Upgrade Jammy Stemcells to 1.250 or greater VMware Tanzu Application Service for VMs 3.0.18, and upgrade Jammy Stemcells to 1.250 or greater 4.0.10+LTS-T, and upgrade Jammy Stemcells to 1.250 or greater https://ubuntu.com/security/CVE-2023-3341 https://ubuntu.com/security/CVE-2023-4236 https://ubuntu.com/security/notices/USN-6390-1 https://cloudfoundry.org/blog/usn-6390-1 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6390-1 Mon, 04 Dec 2023 00:00:00 +0000 USN-6165-2: GLib vulnerabilities https://tanzu.vmware.com/security/usn-6165-2 medium VMware Tanzu <p>USN-6165-1 fixed vulnerabilities in GLib. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that GLib incorrectly handled non-normal GVariants. An attacker could use this issue to cause GLib to crash, resulting in a denial of service, or perform other unknown attacks. Update Instructions: Run `sudo pro fix USN-6165-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libglib2.0-0 - 2.48.2-0ubuntu4.8+esm3 libglib2.0-0-refdbg - 2.48.2-0ubuntu4.8+esm3 libglib2.0-data - 2.48.2-0ubuntu4.8+esm3 libglib2.0-tests - 2.48.2-0ubuntu4.8+esm3 libglib2.0-doc - 2.48.2-0ubuntu4.8+esm3 libglib2.0-bin - 2.48.2-0ubuntu4.8+esm3 libglib2.0-dev - 2.48.2-0ubuntu4.8+esm3 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro</p><p>CVEs contained in this USN include: CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665</p> Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Platform Automation Toolkit 4.4.x versions prior to 4.4.32 5.0.x versions prior to 5.0.25 5.1.x versions prior to 5.1.2 Isolation Segment 2.11.x versions prior to 2.11.42, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.27, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Operations Manager 2.10.x versions prior to 2.10.65 VMware Tanzu Application Service for VMs 2.11.x versions prior to 2.11.48, or later versions with Xenial Stemcells prior to 621.730 2.13.x versions prior to 2.13.30, or later versions with Xenial Stemcells prior to 621.730 3.0.x versions prior to 3.0.20 4.0.x versions prior to 4.0.12+LTS-T Users of affected products are strongly encouraged to follow the mitigation below. On the <a href="https://network.tanzu.vmware.com/" target="_blank">Tanzu Network</a> product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include: Platform Automation Toolkit 4.4.32 5.0.25 5.1.2 Isolation Segment 2.11.42, and upgrade Xenial Stemcells to 621.730 or greater 2.13.27, and upgrade Xenial Stemcells to 621.730 or greater 3.0.20 4.0.12+LTS-T Operations Manager 2.10.65 VMware Tanzu Application Service for VMs 2.11.48, and upgrade Xenial Stemcells to 621.730 or greater 2.13.30, and upgrade Xenial Stemcells to 621.730 or greater 3.0.20 4.0.12+LTS-T https://ubuntu.com/security/CVE-2023-29499 https://ubuntu.com/security/CVE-2023-32611 https://ubuntu.com/security/CVE-2023-32636 https://ubuntu.com/security/CVE-2023-32643 https://ubuntu.com/security/CVE-2023-32665 https://ubuntu.com/security/notices/USN-6165-2 https://cloudfoundry.org/blog/usn-6165-2 2023-12-04: Initial vulnerability report published. https://tanzu.vmware.com/security/usn-6165-2 Mon, 04 Dec 2023 00:00:00 +0000