{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.15.0-1061-kvm", "linux-image-5.15.0-1061-kvm", "linux-kvm-headers-5.15.0-1061", "linux-modules-5.15.0-1061-kvm" ], "removed": [ "linux-headers-5.15.0-1060-kvm", "linux-image-5.15.0-1060-kvm", "linux-kvm-headers-5.15.0-1060", "linux-modules-5.15.0-1060-kvm" ], "diff": [ "libnetplan0", "libssl3", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "netplan.io", "openssl", "wget" ] } }, "diff": { "deb": [ { "name": "libnetplan0", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.2", "version": "0.106.1-7ubuntu0.22.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.3", "version": "0.106.1-7ubuntu0.22.04.3" }, "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "changes": [ { "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: weak permissions on secret files, command injection", " - d/p/lp2065738/0028-libnetplan-use-more-restrictive-file-permissions.patch:", " Use more restrictive file permissions to prevent unprivileged users to", " read sensitive data from back end files (LP: #2065738, #1987842)", " - CVE-2022-4968", " - d/p/lp2066258/0029-libnetplan-escape-control-characters.patch:", " Escape control characters in the parser and double quotes in backend", " files", " - d/p/lp2066258/0030-backends-escape-file-paths.patch:", " Escape special characters in file paths", " - d/p/lp2066258/0031-backends-escape-semicolons-in-service-units.patch:", " Escape isolated semicolons in systemd service units (LP: #2066258)", " * debian/netplan.io.postinst: Add a postinst maintainer script to call the", " generator. It's needed so the file permissions fixes will be applied", " automatically, thanks to danilogondolfo ", "" ], "package": "netplan.io", "version": "0.106.1-7ubuntu0.22.04.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "author": "Sudhakar Verma ", "date": "Mon, 24 Jun 2024 23:20:42 +0530" } ], "notes": null }, { "name": "libssl3", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.15", "version": "3.0.2-0ubuntu1.15" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.16", "version": "3.0.2-0ubuntu1.16" }, "cves": [ { "cve": "CVE-2022-40735", "url": "https://ubuntu.com/security/CVE-2022-40735", "cve_description": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \"(appropriately) short exponents\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.", "cve_priority": "medium", "cve_public_date": "2022-11-14 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2022-40735", "url": "https://ubuntu.com/security/CVE-2022-40735", "cve_description": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \"(appropriately) short exponents\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.", "cve_priority": "medium", "cve_public_date": "2022-11-14 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive time spent in DH modular-exponentiation", " calcuations when using long exponents.", " - debian/patches/CVE-2022-40735-1.patch: Use the minimum key length", " for known safe primes as per RFC 7919 in crypto/dh/dh_group_params.c,", " crypto/ffc/ffc_backend.c, crypto/ffc/ffc_dh.c,", " crypto/ffc/ffc_key_generate.c, include/internal/ffc.h and", " test/ffc_internal_test.c", " - debian/patches/CVE-2022-40735-2.patch: print DH key length in", " providers/implementations/encode_decode/encode_key2text.c,", " test/recipes/30-test_evp_pkey_provided/DH.priv.txt and", " test/recipes/30-test_evp_pkey_provided/DH.pub.txt", " - debian/patches/CVE-2022-40735-3.patch: test that short private keys", " are generated when using a known safe DH prime in", " test/evp_extra_test2.c", " - debian/patches/CVE-2022-40735-4.patch: copy keylength when copying", " FFC parameters in crypto/ffc/ffc_params.c and test/ffc_internal_test.c", " - CVE-2022-40735", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.16", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Alex Murray ", "date": "Wed, 05 Jun 2024 12:58:14 +0930" } ], "notes": null }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1060.56", "version": "5.15.0.1060.56" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1061.57", "version": "5.15.0.1061.57" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1061", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1061.57", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:55:48 +0200" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1060.56", "version": "5.15.0.1060.56" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1061.57", "version": "5.15.0.1061.57" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1061", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1061.57", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:55:48 +0200" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1060.56", "version": "5.15.0.1060.56" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.15.0.1061.57", "version": "5.15.0.1061.57" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-1061", "" ], "package": "linux-meta-kvm", "version": "5.15.0.1061.57", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:55:48 +0200" } ], "notes": null }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.2", "version": "0.106.1-7ubuntu0.22.04.2" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.3", "version": "0.106.1-7ubuntu0.22.04.3" }, "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "changes": [ { "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: weak permissions on secret files, command injection", " - d/p/lp2065738/0028-libnetplan-use-more-restrictive-file-permissions.patch:", " Use more restrictive file permissions to prevent unprivileged users to", " read sensitive data from back end files (LP: #2065738, #1987842)", " - CVE-2022-4968", " - d/p/lp2066258/0029-libnetplan-escape-control-characters.patch:", " Escape control characters in the parser and double quotes in backend", " files", " - d/p/lp2066258/0030-backends-escape-file-paths.patch:", " Escape special characters in file paths", " - d/p/lp2066258/0031-backends-escape-semicolons-in-service-units.patch:", " Escape isolated semicolons in systemd service units (LP: #2066258)", " * debian/netplan.io.postinst: Add a postinst maintainer script to call the", " generator. It's needed so the file permissions fixes will be applied", " automatically, thanks to danilogondolfo ", "" ], "package": "netplan.io", "version": "0.106.1-7ubuntu0.22.04.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "author": "Sudhakar Verma ", "date": "Mon, 24 Jun 2024 23:20:42 +0530" } ], "notes": null }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.15", "version": "3.0.2-0ubuntu1.15" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.2-0ubuntu1.16", "version": "3.0.2-0ubuntu1.16" }, "cves": [ { "cve": "CVE-2022-40735", "url": "https://ubuntu.com/security/CVE-2022-40735", "cve_description": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \"(appropriately) short exponents\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.", "cve_priority": "medium", "cve_public_date": "2022-11-14 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2022-40735", "url": "https://ubuntu.com/security/CVE-2022-40735", "cve_description": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that \"(appropriately) short exponents\" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.", "cve_priority": "medium", "cve_public_date": "2022-11-14 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive time spent in DH modular-exponentiation", " calcuations when using long exponents.", " - debian/patches/CVE-2022-40735-1.patch: Use the minimum key length", " for known safe primes as per RFC 7919 in crypto/dh/dh_group_params.c,", " crypto/ffc/ffc_backend.c, crypto/ffc/ffc_dh.c,", " crypto/ffc/ffc_key_generate.c, include/internal/ffc.h and", " test/ffc_internal_test.c", " - debian/patches/CVE-2022-40735-2.patch: print DH key length in", " providers/implementations/encode_decode/encode_key2text.c,", " test/recipes/30-test_evp_pkey_provided/DH.priv.txt and", " test/recipes/30-test_evp_pkey_provided/DH.pub.txt", " - debian/patches/CVE-2022-40735-3.patch: test that short private keys", " are generated when using a known safe DH prime in", " test/evp_extra_test2.c", " - debian/patches/CVE-2022-40735-4.patch: copy keylength when copying", " FFC parameters in crypto/ffc/ffc_params.c and test/ffc_internal_test.c", " - CVE-2022-40735", "" ], "package": "openssl", "version": "3.0.2-0ubuntu1.16", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Alex Murray ", "date": "Wed, 05 Jun 2024 12:58:14 +0930" } ], "notes": null }, { "name": "wget", "from_version": { "source_package_name": "wget", "source_package_version": "1.21.2-2ubuntu1", "version": "1.21.2-2ubuntu1" }, "to_version": { "source_package_name": "wget", "source_package_version": "1.21.2-2ubuntu1.1", "version": "1.21.2-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2024-38428", "url": "https://ubuntu.com/security/CVE-2024-38428", "cve_description": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", "cve_priority": "medium", "cve_public_date": "2024-06-16 03:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-38428", "url": "https://ubuntu.com/security/CVE-2024-38428", "cve_description": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", "cve_priority": "medium", "cve_public_date": "2024-06-16 03:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: mishandling of semicolons in userinfo", " - debian/patches/CVE-2024-38428.patch: properly re-implement userinfo", " parsing in src/url.c.", " - CVE-2024-38428", "" ], "package": "wget", "version": "1.21.2-2ubuntu1.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 19 Jun 2024 08:15:59 -0400" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-1061-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1061.66", "version": "5.15.0-1061.66" }, "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1061.66 -proposed tracker (LP: #2068227)", "", " [ Ubuntu: 5.15.0-113.123 ]", "", " * jammy/linux: 5.15.0-113.123 -proposed tracker (LP: #2068242)", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " [ Ubuntu: 5.15.0-112.122 ]", "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-kvm", "version": "5.15.0-1061.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:49:55 +0200" } ], "notes": "linux-headers-5.15.0-1061-kvm version '5.15.0-1061.66' (source package linux-kvm version '5.15.0-1061.66') was added. linux-headers-5.15.0-1061-kvm version '5.15.0-1061.66' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1060-kvm. As such we can use the source package version of the removed package, '5.15.0-1060.65', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-1061-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1060.65", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1061.66", "version": "5.15.0-1061.66" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-1061.66", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.15.0-1061.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:55:51 +0200" } ], "notes": "linux-image-5.15.0-1061-kvm version '5.15.0-1061.66' (source package linux-signed-kvm version '5.15.0-1061.66') was added. linux-image-5.15.0-1061-kvm version '5.15.0-1061.66' has the same source package name, linux-signed-kvm, as removed package linux-image-5.15.0-1060-kvm. As such we can use the source package version of the removed package, '5.15.0-1060.65', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.15.0-1061", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1061.66", "version": "5.15.0-1061.66" }, "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1061.66 -proposed tracker (LP: #2068227)", "", " [ Ubuntu: 5.15.0-113.123 ]", "", " * jammy/linux: 5.15.0-113.123 -proposed tracker (LP: #2068242)", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " [ Ubuntu: 5.15.0-112.122 ]", "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-kvm", "version": "5.15.0-1061.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:49:55 +0200" } ], "notes": "linux-kvm-headers-5.15.0-1061 version '5.15.0-1061.66' (source package linux-kvm version '5.15.0-1061.66') was added. linux-kvm-headers-5.15.0-1061 version '5.15.0-1061.66' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1060-kvm. As such we can use the source package version of the removed package, '5.15.0-1060.65', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-1061-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1061.66", "version": "5.15.0-1061.66" }, "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26924", "url": "https://ubuntu.com/security/CVE-2024-26924", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem(\"00000000\") timeout 100 ms ... add_elem(\"0000000X\") timeout 100 ms del_elem(\"0000000X\") <---------------- delete one that was just added ... add_elem(\"00005000\") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano)", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-21823", "url": "https://ubuntu.com/security/CVE-2024-21823", "cve_description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", "cve_priority": "medium", "cve_public_date": "2024-05-16 21:16:00 UTC" } ], "log": [ "", " * jammy/linux-kvm: 5.15.0-1061.66 -proposed tracker (LP: #2068227)", "", " [ Ubuntu: 5.15.0-113.123 ]", "", " * jammy/linux: 5.15.0-113.123 -proposed tracker (LP: #2068242)", " * CVE-2024-26924", " - netfilter: nft_set_pipapo: do not free live element", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " [ Ubuntu: 5.15.0-112.122 ]", "", " * jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)", " * CVE-2024-21823", " - dmanegine: idxd: reformat opcap output to match bitmap_parse() input", " - dmaengine: idxd: add WQ operation cap restriction support", " - dmaengine: idxd: add knob for enqcmds retries", " - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist", " - dmaengine: idxd: add a new security check to deal with a hardware erratum", " - dmaengine: idxd: add a write() method for applications to submit work", "" ], "package": "linux-kvm", "version": "5.15.0-1061.66", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2068227, 2068242, 2065898 ], "author": "Thibault Ferrante ", "date": "Mon, 17 Jun 2024 21:49:55 +0200" } ], "notes": "linux-modules-5.15.0-1061-kvm version '5.15.0-1061.66' (source package linux-kvm version '5.15.0-1061.66') was added. linux-modules-5.15.0-1061-kvm version '5.15.0-1061.66' has the same source package name, linux-kvm, as removed package linux-headers-5.15.0-1060-kvm. As such we can use the source package version of the removed package, '5.15.0-1060.65', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-1060-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": "5.15.0-1060.65" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-1060-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.15.0-1060.65", "version": "5.15.0-1060.65" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.15.0-1060", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": "5.15.0-1060.65" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-1060-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.15.0-1060.65", "version": "5.15.0-1060.65" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20240613 to 20240627", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240613", "to_serial": "20240627", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }