Download
| Alert*
|
oval:org.secpod.oval:def:705447
Ubuntu 20.04 is installed oval:org.secpod.oval:def:705736 accountsservice: query and manipulate user account information Several security issues were fixed in AccountsService. oval:org.secpod.oval:def:706179 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems Details: USN-5091-1 fixed vulnerabilities in Linux 5.4-based kernels. Unfortunately, for Linux kernels intended for use within Microsoft Azure environments, that update intro ... oval:org.secpod.oval:def:706018 python-pip: Python package installer pip could be made to install different git revisions. oval:org.secpod.oval:def:706145 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:706180 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-5.11: Linux kernel for Microsoft Azure cloud systems Details: USN-5092-2 fixed vulnerabilities in Linux 5.11-based kernels. Unfortunately, for Linux kernels intended for use within Microsoft Azure environments, that update int ... oval:org.secpod.oval:def:706149 linux: Linux kernel - linux-hwe-5.11: Linux hardware enablement kernel - linux-hwe-5.4: Linux hardware enablement kernel - linux-hwe: Linux hardware enablement kernel IBM s390x systems could be made to crash or run programs as an administrator. oval:org.secpod.oval:def:705645 ldm: LTSP display manager LTSP Display Manager could be made to escalate user privileges. oval:org.secpod.oval:def:706000 mariadb-10.5: MariaDB database development files - mariadb-10.3: MariaDB database - mariadb-10.1: MariaDB database Several security issues were fixed in MariaDB. oval:org.secpod.oval:def:706024 apport: automatically generate crash reports for debugging Several security issues were fixed in Apport. oval:org.secpod.oval:def:706112 firefox: Mozilla Open Source web browser Details: USN-5037-1 fixed vulnerabilities in Firefox. The update introduced a regression that caused Firefox to repeatedly prompt for a password. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-5037-1 caused a regressi ... oval:org.secpod.oval:def:706016 python-babel: tools for internationalizing Python applications Babel code be made to execute arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:706152 ca-certificates: Common CA certificates A certificate about to expire was removed from ca-certificates. oval:org.secpod.oval:def:705523 nvidia-graphics-drivers-390: NVIDIA binary X.Org driver - nvidia-graphics-drivers-440: NVIDIA binary X.Org driver Several security issues were fixed in NVIDIA graphics drivers. oval:org.secpod.oval:def:84708 kitty: fast, featureful, GPU based terminal emulator kitty could be made to run programs if it opened a specially crafted image or desktop notification. oval:org.secpod.oval:def:64081 libvncserver: vnc server library Several security issues were fixed in LibVNCServer. oval:org.secpod.oval:def:705987 exim4: Exim is a mail transport agent Several security issues were fixed in Exim. oval:org.secpod.oval:def:707830 shadow: system login tools Details: USN-5745-1 fixed vulnerabilities in shadow. Unfortunately that update introduced a regression that caused useradd to behave incorrectly in Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update reverts the security fix pending furth ... oval:org.secpod.oval:def:707880 firefox: Mozilla Open Source web browser Details: USN-5782-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-5782-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:707737 sosreport: Set of tools to gather troubleshooting data from a system SoS could be made do expose sensitive information. oval:org.secpod.oval:def:707688 jupyter-notebook: Jupyter interactive notebook Several security issues were fixed in Jupyter Notebook. oval:org.secpod.oval:def:706273 exiv2: EXIF/IPTC/XMP metadata manipulation tool Details: USN-5043-1 fixed vulnerabilities in Exiv2. The update introduced a new regression that could cause a crash in applications using libexiv2. This update fixes the problem. We apologize for the inconvenience. Original advisory Introduced regressi ... oval:org.secpod.oval:def:706261 firefox: Mozilla Open Source web browser Details: USN-5186-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-5186-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:706181 ardour: the digital audio workstation Ardour could be made to crash or possibly arbitrary code execute if it received a specially crafted XML file. oval:org.secpod.oval:def:706098 gpsd: Global Positioning System GPSd could return the wrong time. oval:org.secpod.oval:def:707826 shadow: system login tools shadow could be made to overwrite files. oval:org.secpod.oval:def:71923 libxstream-java: Java library to serialize objects to XML and back again Several security issues were fixed in XStream library. oval:org.secpod.oval:def:707692 schroot: Execute commands in a chroot environment Schroot could be made to denial of service if certain schroot names are used. oval:org.secpod.oval:def:707681 exim4: Exim is a mail transport agent Exim could be made to crash of execute arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:707781 barbican: OpenStack Key Management Service - API Server Barbican could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708090 firefox: Mozilla Open Source web browser Details: USN-6010-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6010-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708106 firefox: Mozilla Open Source web browser Details: USN-6010-1 fixed vulnerabilities and USN-6010-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6010-2 caused some minor reg ... oval:org.secpod.oval:def:708114 openssl-ibmca: libica based hardware acceleration engine for OpenSSL OpenSSL-ibmca could be made to expose sensitive information. oval:org.secpod.oval:def:708144 nova: OpenStack Compute cloud infrastructure Details: USN-6073-3 fixed a vulnerability in Nova. The update introduced a regression causing Nova to be unable to detach volumes from instances. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6073-3 introduced a ... oval:org.secpod.oval:def:708150 firefox: Mozilla Open Source web browser Details: USN-6074-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6074-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:705644 busybox: Tiny utilities for small and embedded systems Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. oval:org.secpod.oval:def:708227 linux-gke: Linux kernel for Google Container Engine systems The system could suffer with performance degradation in certain conditions. oval:org.secpod.oval:def:708239 firefox: Mozilla Open Source web browser Details: USN-6143-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6143-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708248 sssd: System Security Services Daemon Details: USN-6156-1 fixed a vulnerability in SSSD. In certain environments, not all packages ended up being upgraded at the same time, resulting in authentication failures when the PAM module was being used. This update fixes the problem. We apologize for the in ... oval:org.secpod.oval:def:70770 The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Rationale: The SHA-512 algorithm provides much stronger hashing than M ... oval:org.secpod.oval:def:70821 The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Rationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be dele ... oval:org.secpod.oval:def:65999 The Set Lockout Time For Failed Password Attempts should be set correctly. oval:org.secpod.oval:def:65921 The passwords to remember should be set correctly. oval:org.secpod.oval:def:707875 net-snmp: SNMP server and applications Net-SNMP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:706280 systemd: system and service manager systemd-tmpfiles could be made to crash or have other unspecified impacts. oval:org.secpod.oval:def:708262 firefox: Mozilla Open Source web browser Details: USN-6143-1 fixed vulnerabilities and USN-6143-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6143-2 caused some minor reg ... oval:org.secpod.oval:def:707626 python-ldap: LDAP interface module for Python3 Python LDAP could be made to denial of service if it received a specially crafted regular expression. oval:org.secpod.oval:def:708134 neutron: OpenStack Virtual Network Service Several security issues were fixed in OpenStack Neutron. oval:org.secpod.oval:def:708146 mysql-8.0: MySQL database Details: USN-6060-1 fixed vulnerabilities in MySQL. The new upstream 8.0.33 version introduced a regression on the armhf architecture. This update fixes the problem. Original advisory USN-6060-1 introduced a regression in MySQL. oval:org.secpod.oval:def:708344 firefox: Mozilla Open Source web browser Details: USN-6267-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6267-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708372 firefox: Mozilla Open Source web browser Details: USN-6267-1 fixed vulnerabilities and USN-6267-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6267-2 caused some minor reg ... oval:org.secpod.oval:def:708347 openssh: secure shell for secure access to remote machines A hardening measure was added to OpenSSH. oval:org.secpod.oval:def:65970 Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.n ... oval:org.secpod.oval:def:70788 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain re ... oval:org.secpod.oval:def:65973 Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user. It is highly unusual for a non privileg ... oval:org.secpod.oval:def:65978 Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a ... oval:org.secpod.oval:def:65946 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:70771 The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users. oval:org.secpod.oval:def:70780 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but nee ... oval:org.secpod.oval:def:70782 Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. oval:org.secpod.oval:def:66008 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:70743 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions. oval:org.secpod.oval:def:65988 Access permission for '/etc/cron.monthly' is set to appropriate values. oval:org.secpod.oval:def:65920 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:65928 The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate. oval:org.secpod.oval:def:65929 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:70738 The /var/log directory is used by system services to store log data. Rationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. oval:org.secpod.oval:def:70805 Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Rationale: Storing log data on a remote ho ... oval:org.secpod.oval:def:65980 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ... oval:org.secpod.oval:def:65924 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:70739 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Rationale: sudo supports a plugin arch ... oval:org.secpod.oval:def:70783 An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and h ... oval:org.secpod.oval:def:66004 The kernel module udf should be disabled. oval:org.secpod.oval:def:70754 sudo can be configured to run only from a psuedo-pty. Rationale: Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing. oval:org.secpod.oval:def:70827 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion. oval:org.secpod.oval:def:65989 The DPKG package 'rsyslog' should be installed. oval:org.secpod.oval:def:65930 The grub boot loader should have password protection enabled. oval:org.secpod.oval:def:65917 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:70741 The /home directory is used to support disk storage needs of local users. Rationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored und ... oval:org.secpod.oval:def:70814 The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Rationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface ... oval:org.secpod.oval:def:65939 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:65958 The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retr ... oval:org.secpod.oval:def:65910 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:70762 A Firewall package should be selected. Most firewall configuration utilities operate as a front end to nftables or iptables. Rationale: A Firewall package is required for firewall management and configuration. oval:org.secpod.oval:def:70790 An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:70832 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudoers_log. Any time a command ... oval:org.secpod.oval:def:70825 Dovecot is an open source mail submission and transport server for Linux based systems. Rationale: Unless mail transport services are to be provided by this system, it is recommended that the service be disabled or deleted to reduce the potential attack surface. Note: Several ... oval:org.secpod.oval:def:65994 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:70776 Rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and ... oval:org.secpod.oval:def:70793 While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have ... oval:org.secpod.oval:def:70787 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: Thes ... oval:org.secpod.oval:def:70815 The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. Rationale: FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run t ... oval:org.secpod.oval:def:70818 Once the rsyslog package is installed it needs to be activated. Rationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead. oval:org.secpod.oval:def:70802 Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the ... oval:org.secpod.oval:def:65968 Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of ... oval:org.secpod.oval:def:65922 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:65918 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:70772 AppArmor profiles define what resources applications are able to access. oval:org.secpod.oval:def:70794 The .netrc file contains data for logging into a remote host for file transfers via FTP. Rationale: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from ... oval:org.secpod.oval:def:70804 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and outp ... oval:org.secpod.oval:def:65986 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user ... oval:org.secpod.oval:def:65944 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:65936 The Kernel Parameter for Accepting Source-Routed Packets By Default should be enabled or disabled as appropriate. The kernel runtime parameter "net.ipv4.conf.default.accept_source_route" should be set to "0". oval:org.secpod.oval:def:65959 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:70796 While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's syste ... oval:org.secpod.oval:def:70806 The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Rationale: Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing log ... oval:org.secpod.oval:def:70809 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... oval:org.secpod.oval:def:65975 Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), i ... oval:org.secpod.oval:def:70778 The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is pro ... oval:org.secpod.oval:def:70763 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occ ... oval:org.secpod.oval:def:70798 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchroniza ... oval:org.secpod.oval:def:70737 Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Rationale: Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user ... oval:org.secpod.oval:def:66001 The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user a ... oval:org.secpod.oval:def:66003 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:70801 Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate a ... oval:org.secpod.oval:def:70830 The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network. The rpcbind service maps Remote Procedure Call (RPC) services to the ports on wh ... oval:org.secpod.oval:def:65984 The DPKG package 'aide' should be installed. oval:org.secpod.oval:def:65987 Access permission for '/etc/cron.d' is set to appropriate values. oval:org.secpod.oval:def:65979 Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious ac ... oval:org.secpod.oval:def:65945 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:65956 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:70774 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading informa ... oval:org.secpod.oval:def:65992 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:65937 File permission for '/etc/hosts.deny' is set to appropriate values. oval:org.secpod.oval:def:70773 Ensure all apparmor profiles are in enforce or complain mode. Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any p ... oval:org.secpod.oval:def:70767 SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ... oval:org.secpod.oval:def:70750 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale: Since the /var directory may contain world-writable files and directories, there is a risk of resource e ... oval:org.secpod.oval:def:70823 The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP server, it is recommended that the softw ... oval:org.secpod.oval:def:65985 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:65990 The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server. oval:org.secpod.oval:def:65972 By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. The guidance in the section ensures ... oval:org.secpod.oval:def:65955 The auditd daemon can be configured to halt the system when the audit logs are full. In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. space_left_action, action_mail_acct and admin_space_left_action setting in / ... oval:org.secpod.oval:def:65957 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:65919 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:70775 The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. oval:org.secpod.oval:def:70748 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp. oval:org.secpod.oval:def:70807 Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Rationale: Writing log data to disk will provide the ability to fo ... oval:org.secpod.oval:def:65916 The kernel module dccp should be disabled. oval:org.secpod.oval:def:70784 An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ... oval:org.secpod.oval:def:70736 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp . oval:org.secpod.oval:def:66000 This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root ... oval:org.secpod.oval:def:66006 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:70810 The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. Rationale: The SNMP server can communicate using SNMP v1, w ... oval:org.secpod.oval:def:70824 HTTP or web servers provide the ability to host web site content. Rationale: Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface. oval:org.secpod.oval:def:65932 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:65934 The kernel module hfs should be disabled. oval:org.secpod.oval:def:70746 The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. ... oval:org.secpod.oval:def:70740 The auditing daemon, auditd , stores log data in the /var/log/audit directory. Rationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large ... oval:org.secpod.oval:def:70813 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. Rationale: If ... oval:org.secpod.oval:def:65951 Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory. Changes to files in this directory could indicate that an unauthorized user is atte ... oval:org.secpod.oval:def:65926 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:70785 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ... oval:org.secpod.oval:def:70733 Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server. oval:org.secpod.oval:def:70751 The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In additi ... oval:org.secpod.oval:def:66007 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:70745 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system. oval:org.secpod.oval:def:70820 The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files. Ration ... oval:org.secpod.oval:def:65947 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:65971 Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged w ... oval:org.secpod.oval:def:65952 Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and ... oval:org.secpod.oval:def:70768 The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Rationale: To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartu ... oval:org.secpod.oval:def:70816 The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service. Rationale: The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of th ... oval:org.secpod.oval:def:70803 Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with ... oval:org.secpod.oval:def:70822 Squid is a standard proxy server used in many distributions and environments. Rationale: If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface. oval:org.secpod.oval:def:65963 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:65969 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... oval:org.secpod.oval:def:70765 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ... oval:org.secpod.oval:def:70797 While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. Rationale: .netrcfiles may contain unencrypted passwords that may be used to attack other systems. oval:org.secpod.oval:def:70789 Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 ... oval:org.secpod.oval:def:70753 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp. oval:org.secpod.oval:def:70749 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp. oval:org.secpod.oval:def:70817 The cron daemon is used to execute batch jobs on the system. Rationale: While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them. oval:org.secpod.oval:def:70808 autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. RAtionale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themse ... oval:org.secpod.oval:def:70828 All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration. oval:org.secpod.oval:def:65940 The Set Password Warning Age should be set appropriately. oval:org.secpod.oval:def:65943 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:65938 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:65950 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:65953 The accounts should be configured to expire automatically following Inactivity accounts. oval:org.secpod.oval:def:70779 The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a pass ... oval:org.secpod.oval:def:70791 Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale: If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local envir ... oval:org.secpod.oval:def:70829 The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn' ... oval:org.secpod.oval:def:65941 The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. oval:org.secpod.oval:def:65923 Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. oval:org.secpod.oval:def:70769 The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. Rationale: To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of s ... oval:org.secpod.oval:def:70766 The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational li ... oval:org.secpod.oval:def:70781 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Rationale: If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. oval:org.secpod.oval:def:70732 The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file. oval:org.secpod.oval:def:70826 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sens ... oval:org.secpod.oval:def:65948 /etc/hosts.allow file is present. oval:org.secpod.oval:def:65913 The kernel module rds should be disabled. oval:org.secpod.oval:def:65914 The kernel module tipc should be disabled. oval:org.secpod.oval:def:70799 Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale: Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly ma ... oval:org.secpod.oval:def:70795 The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execut ... oval:org.secpod.oval:def:70755 sudo can use a custom log file. Rationale: A sudo log file simplifies auditing of sudo commands. oval:org.secpod.oval:def:70756 SOMETHING HERE oval:org.secpod.oval:def:70752 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp. oval:org.secpod.oval:def:70747 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp. oval:org.secpod.oval:def:65993 TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers ... oval:org.secpod.oval:def:65954 Normally, auditd will hold 4 logs of maximum log file size before deleting older log files. In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. max_log_file_action setting in /etc/audit/auditd.conf is set to at least a certain v ... oval:org.secpod.oval:def:70777 The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information Rationale: If attackers can gain read access to the /etc/gshadow file, they can easily run a password ... oval:org.secpod.oval:def:70735 USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a pe ... oval:org.secpod.oval:def:70742 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:70819 Turn on the auditd daemon to record system events. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring. oval:org.secpod.oval:def:65998 IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. ufw was developed to ease IPtables firewall configuration. oval:org.secpod.oval:def:65960 The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. oval:org.secpod.oval:def:65912 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:70734 'biosdevname' is an external tool that works with the udev framework for naming devices. 'biosdevname' uses three methods to determine NIC names: 1. PCI firmware spec.3.1 2. smbios (matches # after "em" to OEM # printed on board or housing) 3. PCI IRQ Routing Table (uses # of NIC position in t ... oval:org.secpod.oval:def:70744 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them. oval:org.secpod.oval:def:70812 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... oval:org.secpod.oval:def:70834 Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer o ... oval:org.secpod.oval:def:65964 The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root. oval:org.secpod.oval:def:65966 The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root. oval:org.secpod.oval:def:65915 The kernel module sctp should be disabled. oval:org.secpod.oval:def:70786 The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ... oval:org.secpod.oval:def:66002 The squashfs Kernel Module should be disabled. oval:org.secpod.oval:def:70800 Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access pro ... oval:org.secpod.oval:def:708115 libcommons-net-java: Apache Commons Net - Java client API for basic Internet protocols Apache Commons Net could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708125 erlang: Concurrent, real-time, distributed functional language Erlang could allow unintended access to network services. oval:org.secpod.oval:def:708154 node-eventsource: EventSource client for Node.js and Browser EventSource could leak sensitive information if it opened a specially crafted input file. oval:org.secpod.oval:def:708253 libjettison-java: A Java library for converting XML to JSON and vice-versa Several security issues were fixed in Jettison. oval:org.secpod.oval:def:708256 pypdf2: Pure-Python library built as a PDF toolkit PyPDF2 could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708393 openjdk-17: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: USN-6263-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update introduced a regression when opening APK, ZIP or JAR files in OpenJDK 11 and OpenJDK 17. This update fixes the problem. We apolo ... oval:org.secpod.oval:def:705738 gdm3: GNOME Display Manager GDM could be made to create privileged users. oval:org.secpod.oval:def:70811 The rsyncd service can be used to synchronize files between systems over network links. Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication. oval:org.secpod.oval:def:70758 The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no xinetd services ... oval:org.secpod.oval:def:70759 The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no inetd services required, it is recommended that the daemon be removed. oval:org.secpod.oval:def:70760 The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal creden ... oval:org.secpod.oval:def:70761 The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP client, it is recommended that the softwar ... oval:org.secpod.oval:def:65991 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:65995 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:65997 The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed. oval:org.secpod.oval:def:65996 The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ... oval:org.secpod.oval:def:65942 The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. oval:org.secpod.oval:def:65949 This variable limits the types of ciphers that SSH can use during communication. oval:org.secpod.oval:def:65933 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. oval:org.secpod.oval:def:65935 The INFO parameter specifies that record login and logout activity will be logged. oval:org.secpod.oval:def:65962 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:65961 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:65965 File permission for '/etc/ssh/sshd_config' is set to appropriate values. oval:org.secpod.oval:def:65925 The PermitUserEnvironment option allows users to present environment options to the ssh daemon. oval:org.secpod.oval:def:65927 There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. ... oval:org.secpod.oval:def:66005 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:70835 UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types oval:org.secpod.oval:def:70833 MAC algorithms being used during ssh can be limited by defining them in sshd_config file. oval:org.secpod.oval:def:65931 The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub. oval:org.secpod.oval:def:70831 The contents of the file /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:708235 sssd: System Security Services Daemon SSSD could allow unintended access to network services. oval:org.secpod.oval:def:708245 libpano13: panorama tools library pano13 could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:708331 open-iscsi: Open Source iSCSI implementation Several security issues were fixed in Open-iSCSI. oval:org.secpod.oval:def:708345 php-dompdf: HTML to PDF converter Several security issues were fixed in Dompdf. oval:org.secpod.oval:def:708390 elfutils: collection of utilities to handle ELF objects Several security issues were fixed in elfutils. oval:org.secpod.oval:def:708402 atftp: Advanced TFTP Server and Client Several security issues were fixed in atftp. oval:org.secpod.oval:def:708430 memcached: High-performance in-memory object caching system Memcached could be made to denial of service. oval:org.secpod.oval:def:707653 nvidia-graphics-drivers-390: NVIDIA binary X.Org driver - nvidia-graphics-drivers-450-server: NVIDIA server driver - nvidia-graphics-drivers-470: NVIDIA binary X.Org driver - nvidia-graphics-drivers-470-server: NVIDIA server driver - nvidia-graphics-drivers-510: NVIDIA binary X.Org driver - nvidia-g ... oval:org.secpod.oval:def:707660 mod-wsgi: Python WSGI adapter module for Apache mod-wsgi could allow unintended access to network services. oval:org.secpod.oval:def:93150 The host is installed with Microsoft Identity Linux Broker before 1.6.1 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to properly handle a malicious file. Successful exploitation allows attackers to compromise files that they were allowed ac ... oval:org.secpod.oval:def:707741 squid: Web proxy cache server - squid3: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:705998 pyyaml: YAML parser and emitter for Python PyYAML could be made to run programs if it opened a specially crafted YAML file. oval:org.secpod.oval:def:707686 varnish: state of the art, high-performance web accelerator Details: USN-5474-1 fixed vulnerabilities in Varnish Cache. Unfortunately the fix for CVE-2020-11653 was incomplete. This update fixes the problem. Original advisory Varnish Cache could be made to restart if it received specially crafted in ... oval:org.secpod.oval:def:708404 docker-registry: Docker toolset to pack, ship, store, and deliver content Docker Registry could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708234 sniproxy: Transparent TLS and HTTP layer 4 proxy with SNI support SNI Proxy could be made to crash or run programs if it received specially crafted input. oval:org.secpod.oval:def:708282 cpdb-libs: Common Print Dialog Backends - Tools CPDB could be made to crash or execute arbitrary code. oval:org.secpod.oval:def:708289 ruby-doorkeeper: OAuth 2 provider for Rails and Grape Doorkeeper could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708356 pypdf2: Pure-Python library built as a PDF toolkit PyPDF2 could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708132 heat: OpenStack Orchestration Service OpenStack Heat could be made to expose sensitive information. oval:org.secpod.oval:def:708276 python-reportlab: library to create PDF documents ReportLab could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:708142 python-os-brick: Library for managing local volume attaches os-brick could be made to expose sensitive information. oval:org.secpod.oval:def:708141 cinder: OpenStack storage service Cinder could be made to expose sensitive information. oval:org.secpod.oval:def:708143 python-glance-store: OpenStack Image Service store library Glance_store could be made to expose sensitive information. oval:org.secpod.oval:def:708140 nova: OpenStack Compute cloud infrastructure Nova could be made to expose sensitive information. oval:org.secpod.oval:def:708321 graphite-web: A highly scalable real-time graphing system Several security issues were fixed in Graphite-Web. oval:org.secpod.oval:def:707827 sysstat: system performance tools for Linux Sysstat could be made to crash or run programs if it processed specially crafted data. oval:org.secpod.oval:def:707746 strongswan: IPsec VPN solution strongSwan could be made do denial of service if it received a specially crafted certificate. oval:org.secpod.oval:def:707804 nginx: small, powerful, scalable web/proxy server Several security issues were fixed in nginx. oval:org.secpod.oval:def:707823 exim4: Exim is a mail transport agent Exim could be made to crash or run programs if it processed specially crafted regular expressions. oval:org.secpod.oval:def:707750 isc-dhcp: DHCP server and client Several security issues were fixed in DHCP. oval:org.secpod.oval:def:708300 knot-resolver: caching, DNSSEC-validating DNS resolver Knot Resolver could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:707682 open-vm-tools: Open VMware Tools for virtual machines hosted on VMware open-vm-tools could be made to run programs as an administrator. oval:org.secpod.oval:def:707656 gnutls28: GNU TLS library Several security issues were fixed in GnuTLS. oval:org.secpod.oval:def:707649 libtirpc: transport-independent RPC library - common files libtirpc could be made to denial of service if it received a specially crafted input. oval:org.secpod.oval:def:707633 libhttp-daemon-perl: simple http server class HTTP-Daemon could allow HTTP Request Smuggling attacks. oval:org.secpod.oval:def:708313 ecdsautils: ECDSA elliptic curve cryptography command line tools ECDSA Util could be made to accept forged signatures. oval:org.secpod.oval:def:708287 gerbv: Gerber file viewer for PCB design Gerbv could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:706276 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:77374 apache-log4j2: Apache Log4j - Logging Framework for Java Several security issues were fixed in Apache Log4j 2. oval:org.secpod.oval:def:706185 strongswan: IPsec VPN solution Several security issues were fixed in strongSwan. oval:org.secpod.oval:def:708418 plib: Portability Libraries: Development package PLIB could be made to execute arbitrary code if it opens a specially crafted TGA file. oval:org.secpod.oval:def:706153 edk2: UEFI firmware for virtual machines Several security issues were fixed in EDK II. oval:org.secpod.oval:def:706111 openssl: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:708188 linuxptp: Precision Time Protocol implementation for Linux Linux PTP could be made to crash, run arbitrary code, or expose sensitive information if it received specially crafted input. oval:org.secpod.oval:def:708365 zziplib: The ZZIPlib provides read access on ZIP-archives and unpacked data Several security issues were fixed in ZZIPlib. oval:org.secpod.oval:def:706023 nginx: small, powerful, scalable web/proxy server nginx could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:705904 gdk-pixbuf: GDK Pixbuf library GDK-PixBuf could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:706025 libx11: X11 client-side library libx11 could allow unintended access to services. oval:org.secpod.oval:def:706019 runc: Open Container Project runC could be made to overwrite files as the administrator. oval:org.secpod.oval:def:706026 isc-dhcp: DHCP server and client DHCP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:706047 libimage-exiftool-perl: library and program to read and write meta information in multime libimage-exiftool-perl could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:706007 mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:705796 gdk-pixbuf: GDK Pixbuf library GDK-PixBuf could be made to hang if it opened a specially crafted file. oval:org.secpod.oval:def:708267 pngcheck: Verifies the integrity of PNG, JNG and MNG files Several security issues were fixed in pngcheck. oval:org.secpod.oval:def:705740 spice-vdagent: Spice agent for Linux Several security issues were fixed in SPICE vdagent. oval:org.secpod.oval:def:707802 golang-1.13: Go programming language compiler Go applications could be made to hang or crash if they received specially crafted input. oval:org.secpod.oval:def:705565 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:705541 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:705526 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:708439 opendmarc: Open Source implementation of the DMARC specification Several security issues were fixed in OpenDMARC. oval:org.secpod.oval:def:706109 inetutils: GNU network utilities Inetutils could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:707824 jbigkit: JBIG1 data compression library JBIG-KIT could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:705564 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:705996 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:706100 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:706203 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:706281 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:707623 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:707648 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:707685 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:707801 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:86997 sudo: Provide limited super user privileges to specific users Several security issues were fixed in Sudo. oval:org.secpod.oval:def:706226 freerdp2: RDP client for Windows Terminal Services Several security issues were fixed in FreeRDP. oval:org.secpod.oval:def:706118 grilo: Framework for discovering and browsing media - GObject introspect grilo could be made to allow MITM attacks. oval:org.secpod.oval:def:708445 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:708583 firefox: Mozilla Open Source web browser Details: USN-6456-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6456-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708572 xrdp: Remote Desktop Protocol server xrdp could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:708573 libsndfile: Library for reading/writing audio files libsndfile could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708600 hibagent: Agent that triggers hibernation on EC2 instances A security improvement was added to hibagent. oval:org.secpod.oval:def:708297 lib3mf: Lib3MF is a C++ implementation of the 3D Manufacturing Format lib3mf could be made to execute arbitrary code if it opens a specially crafted 3MF file. oval:org.secpod.oval:def:708312 wkhtmltopdf: Command line utility to convert html to pdf using WebKit wkhtmltopdf could be made to expose sensitive information if it opened a specially crafted file. oval:org.secpod.oval:def:708350 velocity: A general purpose template engine written in Java Velocity Engine could be made to run arbitrary code if it opened a specially crafted file. oval:org.secpod.oval:def:708351 velocity-tools: A subproject of the Apache Velocity project Velocity Tools could be made to run arbitrary code if it opened a specially crafted file. oval:org.secpod.oval:def:708417 shiro: Powerful and easy-to-use Java security framework Several security issues were fixed in Apache Shiro. oval:org.secpod.oval:def:708426 libraw: raw image decoder library LibRaw could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708449 vsftpd: FTP server written for security vsftpd could allow unintended access to network services. oval:org.secpod.oval:def:708468 opusfile: debugging symbols for libopusfile Opusfile could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708469 editorconfig-core: coding style indenter for all editors EditorConfig Core C could be made to crash or run programs if it received specially crafted input. oval:org.secpod.oval:def:708470 kamailio: very fast, dynamic and configurable SIP server Kamailio could be made to crash or run programs if it received specially crafted input. oval:org.secpod.oval:def:708471 exo: Extension library used in the Xfce desktop Exo could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708472 jupyter-core: Core common functionality of Jupyter projects Jupyter Core could be made to run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:708475 gsasl: GNU SASL command line utility gsasl could possibly be made crash or expose sensitive information over the network. oval:org.secpod.oval:def:708476 nanopb: Protocol Buffers with small code size Several security issues were fixed in Nanopb. oval:org.secpod.oval:def:708477 tigervnc: High-performance, platform-neutral implementation of VNC TigerVNC could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708481 musl: standard C library Several security issues were fixed in musl. oval:org.secpod.oval:def:708483 node-css-what: A CSS selector parser Several security issues were fixed in css-what. oval:org.secpod.oval:def:708484 jhead: Manipulate the non-image part of Exif compliant JPEG files Jhead could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708489 libjettison-java: A Java library for converting XML to JSON and vice-versa Jettison could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708490 graphviz: rich set of graph drawing tools Several security issues were fixed in graphviz. oval:org.secpod.oval:def:707657 python-django: High-level Python web development framework Django could be made to expose sensitive information if it received an specially crafted input. oval:org.secpod.oval:def:708377 cjose: C library implementing the JOSE standard JOSE for C/C++ could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708330 open-vm-tools: Open VMware Tools for virtual machines hosted on VMware open-vm-tools could be made to bypass authentication. oval:org.secpod.oval:def:708473 wireshark: network traffic analyzer - meta-package Several security issues were fixed in Wireshark. oval:org.secpod.oval:def:706224 libreoffice: Office productivity suite LibreOffice could incorrectly validate document signatures. oval:org.secpod.oval:def:708427 nodejs: An open-source, cross-platform JavaScript runtime environment. Several security issues were fixed in Node.js. oval:org.secpod.oval:def:705905 python-django: High-level Python web development framework Django could allow unintended access to network services. oval:org.secpod.oval:def:707779 mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:708131 openvswitch: Ethernet virtual switch Open vSwitch could be made to stop forwarding packets if it received specially crafted network traffic. oval:org.secpod.oval:def:708237 node-fetch: A light-weight module that brings the Fetch API to Node.js Node Fetch could be made to expose sensitive information if it opened a specially crafted file. oval:org.secpod.oval:def:708587 tidy-html5: HTML/XML syntax checker and reformatter tidy-html5 could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:92531 poppler: PDF rendering library poppler could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:707678 postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database - postgresql-10: Object-relational SQL database PostgreSQL could be made to run programs when creating or updating extensions. oval:org.secpod.oval:def:705997 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:708159 node-minimatch: A glob matcher in javascript minimatch could be made to crash if it opened a specially crafted input file. oval:org.secpod.oval:def:708441 cups: Common UNIX Printing System CUPS could be made to expose sensitive information. oval:org.secpod.oval:def:708447 c-ares: library for asynchronous name resolution c-ares could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:708128 mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:708359 mysql-8.0: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:70792 While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system ... oval:org.secpod.oval:def:65974 The prelinking feature changes binaries in an attempt to decrease their startup time. oval:org.secpod.oval:def:65977 The talk software makes it possible for users to send and receive messages across systems through a terminal session. oval:org.secpod.oval:def:65981 The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. oval:org.secpod.oval:def:65982 The rsh package contains the client commands for the rsh services. oval:org.secpod.oval:def:65983 The DPKG package 'xserver-xorg-core' should be removed. oval:org.secpod.oval:def:707820 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland - xorg-server-hwe-18.04: X.Org X11 server - xorg-server-hwe-16.04: X.Org X11 server Several security issues were fixed in X.Org X Server. oval:org.secpod.oval:def:69260 The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). oval:org.secpod.oval:def:706009 awstats: powerful and featureful web server log analyzer Several security issues were fixed in AWStats. oval:org.secpod.oval:def:705462 mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:705460 python3.8: Interactive high-level object-oriented language Details: USN-4333-1 fixed vulnerabilities in Python. This update provides the corresponding update for Ubuntu 20.04 LTS. Original advisory Several security issues were fixed in Python. oval:org.secpod.oval:def:706201 mailman: Web-based mailing list manager Details: USN-5009-1 fixed vulnerabilities in Mailman. This update provides the corresponding updates for Ubuntu 20.04 LTS. In addition, the following CVEs were fixed: It was discovered that Mailman allows arbitrary content injection. An attacker could use this ... oval:org.secpod.oval:def:705567 libssh: None libssh could be made to crash if it received a specially crafted request. oval:org.secpod.oval:def:705542 firefox: Mozilla Open Source web browser A X-Frame-Options bypass was discovered in Firefox. oval:org.secpod.oval:def:705543 snapd: Daemon and tooling that enable snap packages An intended access restriction in snapd could be bypassed by strict mode snaps. oval:org.secpod.oval:def:705540 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:705528 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:705524 glib-networking: Network extensions for GLib Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. oval:org.secpod.oval:def:705515 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:705516 libexif: library to parse EXIF files Several security issues were fixed in libexif. oval:org.secpod.oval:def:705630 storebackup: fancy compressing managing checksumming deduplicating hard-linkin StoreBackup could be made to stop executing or generate a race condition if it received a lock file in the default location. oval:org.secpod.oval:def:705631 qemu: Machine emulator and virtualizer QEMU could be made to crash or run programs. oval:org.secpod.oval:def:705629 libproxy: automatic proxy configuration management library libproxy could be made to crash if it received a specially crafted PAC file. oval:org.secpod.oval:def:705623 ruby-websocket-extensions: Generic extension manager for WebSocket connections websocket-extensions could be made to exhaust the server"s capacity to process incoming requests if it received specially crafted requests. oval:org.secpod.oval:def:705795 aptdaemon: transaction based package management service Several security issues were fixed in Aptdaemon. oval:org.secpod.oval:def:705798 lxml: pythonic binding for the libxml2 and libxslt libraries lxml could allow cross-site scripting attacks. oval:org.secpod.oval:def:705794 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools OpenSSL could be made to crash if it processed specially crafted input. oval:org.secpod.oval:def:705799 apt: Advanced front-end for dpkg APT could be made to crash or stop responding if it opened a specially crafted file. oval:org.secpod.oval:def:705769 pulseaudio: PulseAudio sound server PulseAudio could be made to expose sensitive information. oval:org.secpod.oval:def:705748 pacemaker: Cluster resource manager Pacemaker could be made to run programs as an administrator. oval:org.secpod.oval:def:705747 openldap: Lightweight Directory Access Protocol OpenLDAP could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:705731 ca-certificates: Common CA certificates The CA certificates in the ca-certificates package were updated. oval:org.secpod.oval:def:705737 blueman: Graphical bluetooth manager A security improvement has been made to blueman. oval:org.secpod.oval:def:705708 linux: Linux kernel - linux-raspi: Linux kernel for Raspberry Pi systems - linux-hwe-5.4: Linux hardware enablement kernel - linux-oem: Linux kernel for OEM systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems - linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors - linux ... oval:org.secpod.oval:def:705639 libpam-tacplus: PAM module for using TACACS+ as an authentication service pam_tacplus could be made to expose sensitive information. oval:org.secpod.oval:def:705800 python-apt: Python interface to libapt-pkg python-apt could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:705734 fastd: Fast and Secure Tunneling Daemon fastd could be made to remotely exhaust resources if it received specially crafted packets. oval:org.secpod.oval:def:705921 wpa: client support for WPA and WPA2 wpa_supplicant could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:705919 tiff: Tag Image File Format library Several security issues were fixed in LibTIFF. oval:org.secpod.oval:def:705910 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Details: USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced regressions in certain environments related to issues with multiple queries, and issues with retries. This update fixes the problem. Original advisory USN-4698-1 introdu ... oval:org.secpod.oval:def:705906 openldap: Lightweight Directory Access Protocol OpenLDAP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:705907 qemu: Machine emulator and virtualizer Details: USN-4467-1 fixed vulnerabilities in QEMU. The fix for CVE-2020-13754 introduced a regression in certain environments. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-4467-1 introduced a regression in QEMU. oval:org.secpod.oval:def:705908 xterm: X terminal emulator xterm could be made to crash or run programs if it handled specially crafted character sequences. oval:org.secpod.oval:def:705909 screen: terminal multiplexer with VT100/ANSI terminal emulation GNU Screen could be made to crash or run programs if it processed specially crafted character sequences. oval:org.secpod.oval:def:65967 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. oval:org.secpod.oval:def:70764 Backlog limit represents the number of logs it will hold. Rationale: During boot if audit=1, then the backlog will hold specified number of records. If records more than are created during boot, auditd records will be lost and potential malicious activity could go undetected. oval:org.secpod.oval:def:95956 Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit ... oval:org.secpod.oval:def:95968 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:95961 Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated.Rationale:By keeping the log ... oval:org.secpod.oval:def:95936 The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. oval:org.secpod.oval:def:95945 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var. oval:org.secpod.oval:def:95944 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/log. oval:org.secpod.oval:def:95957 The audit tools file should be owned by the appropriate group. oval:org.secpod.oval:def:95955 Audit log files contain information about the system and system activity.Rationale:Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality oval:org.secpod.oval:def:95953 Audit log files contain information about the system and system activity.Rationale:Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality. oval:org.secpod.oval:def:95951 Audit configuration files control auditd and what events are audited.Rationale:Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events.Misconfigured audit configuration files may prevent the auditing of critical events or impact the syste ... oval:org.secpod.oval:def:95969 Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts.Rationale:If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. oval:org.secpod.oval:def:95960 Journald will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.Rationale:It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. oval:org.secpod.oval:def:95964 The operating system must generate audit records for successful/unsuccessful uses of the setfacl command. Rationale:This utility sets Access Control Lists (ACLs) of files and directories. Without generating audit records that are specific to the security and mission needs of the organization, it ... oval:org.secpod.oval:def:95963 The operating system must generate audit records for successful/unsuccessful uses of the chcon command.Rationale:The chcon command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult ... oval:org.secpod.oval:def:95962 The operating system must generate audit records for successful/unsuccessful uses of the chacl command.chacl is an IRIX-compatibility command, and is maintained for those users who are familiar with its use from either XFS or IRIX.Rationale:chacl changes the ACL(s) for a file or directory. Without g ... oval:org.secpod.oval:def:95933 /etc/shells is a text file which contains the full pathnames of valid login shells. This file is consulted by chsh and available to be queried by other programs.Rationale:It is critical to ensure that the /etc/shells file is protected from unauthorized access. Although it is protected by default, th ... oval:org.secpod.oval:def:95948 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:95929 The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM. Rationale:Malware on removable media may taking advantage of Autorun features when the media is inserted into a system and execute oval:org.secpod.oval:def:73993 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:73994 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:89583 X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays Rationale: XDMCP is inherently insecure. 1. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered b ... oval:org.secpod.oval:def:89584 Ensure only strong Key Exchange algorithms are used oval:org.secpod.oval:def:89582 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorize ... oval:org.secpod.oval:def:70757 Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Rationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. Note: This re ... oval:org.secpod.oval:def:73988 A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. oval:org.secpod.oval:def:73987 A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage. oval:org.secpod.oval:def:95970 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sensit ... oval:org.secpod.oval:def:95952 Audit information includes all information including: audit records, audit settings and audit reports. This information is needed to successfully audit system activity. This information must be protected from unauthorized modification or deletion. If this information were to be compromised, forensic ... oval:org.secpod.oval:def:95967 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:95965 The operating system must generate audit records for successful/unsuccessful uses of the chcon command.Rationale:The chcon command is used to change file security context. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult ... oval:org.secpod.oval:def:95939 GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time. Rationale: Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended. oval:org.secpod.oval:def:95938 GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.By using the lockdown mode in dconf, you can prevent users from changing specific settings.To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory.The file ... oval:org.secpod.oval:def:95946 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log. oval:org.secpod.oval:def:95949 Without reauthentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:95943 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var. oval:org.secpod.oval:def:95941 By default GNOME automatically mounts removable media when inserted as a convenience to the user. By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files i ... oval:org.secpod.oval:def:95959 The audit tools file should be owned by the appropriate user. oval:org.secpod.oval:def:95950 Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. oval:org.secpod.oval:def:95954 Audit log files contain information about the system and system activity.Rationale:Access to audit records can reveal system and configuration data to attackers, potentially compromising its confidentiality oval:org.secpod.oval:def:95966 A space-separated list of NTP server host names or IP addresses. During runtime this list is combined with any per-interface NTP servers acquired from systemd-networkd.service(8). systemd-timesyncd will contact all configured system or per-interface servers in turn, until one responds. When the empt ... oval:org.secpod.oval:def:95931 dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services.Rationale:Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the ... oval:org.secpod.oval:def:95930 Bluetooth is a short-range wireless technology standard that is used for exchanging data between devices over short distances. It employs UHF radio waves in the ISM bands, from 2.402 GHz to 2.48 GHz. It is mainly used as an alternative to wire connections.Rationale:An attacker may be able to find a ... oval:org.secpod.oval:def:95940 By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it ... oval:org.secpod.oval:def:95928 The autorun-never setting allows the GNOME Desktop Display Manager to disable autorun through GDM. Rationale:Malware on removable media may taking advantage of Autorun features when the media is inserted into a system and execute oval:org.secpod.oval:def:65911 Core dumps for all users should be disabled oval:org.secpod.oval:def:95958 Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. OL 8 systems providing tools to interface with audit information will leverage user ... oval:org.secpod.oval:def:95947 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home oval:org.secpod.oval:def:95942 The noexec mount option specifies that the filesystem cannot contain executable . Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log . oval:org.secpod.oval:def:89586 All password hashes should be shadowed. oval:org.secpod.oval:def:89585 This test makes sure that '/etc/gshadow' has appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:96078 sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. Rationale: Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the ... oval:org.secpod.oval:def:96077 Ensure that the systemd-journald service is enabled to allow capturing of logging events. Rationale: If the systemd-journald service is not enabled to start on boot, the system will not capture logging events. oval:org.secpod.oval:def:96079 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command i ... oval:org.secpod.oval:def:95935 The pwquality dictcheck option sets whether to check for the words from the cracklib dictionary.Rationale:If the operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and ... oval:org.secpod.oval:def:95934 The pwquality difok option sets the number of characters in a password that must not be present in the old password.Rationale:Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of ... oval:org.secpod.oval:def:95937 The pwquality maxrepeat option sets the maximum number of allowed same consecutive characters in a new password.Rationale:Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a p ... oval:org.secpod.oval:def:96080 The Apport Error Reporting Service automatically generates crash reports for debugging. Rationale: Apport collects potentially sensitive data, such as core dumps, stack traces, and logfiles. They can contain passwords, credit card numbers, serial numbers, and other private mate ... oval:org.secpod.oval:def:96082 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit. oval:org.secpod.oval:def:96083 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log/audit filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log. oval:org.secpod.oval:def:708290 ghostscript: PostScript and PDF interpreter Ghostscript could be made to run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708151 libwebp: Lossy compression of digital photographic images libwebp could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:708129 ceph: distributed storage and file system Several security issues were fixed in Ceph. oval:org.secpod.oval:def:707742 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:706277 apache-log4j1.2: Java-based open-source logging tool Apache Log4j 1.2 could be made to crash or run programs if it received specially crafted input. oval:org.secpod.oval:def:706202 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:706147 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:706114 libssh: A tiny C SSH library libssh could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:706017 pillow: Python Imaging Library Pillow could be made to crash or hang if it opened a specially crafted file. oval:org.secpod.oval:def:706004 flatpak: Application deployment framework for desktop apps A Flatpak application could access files that it would not normally be permitted to access. oval:org.secpod.oval:def:96081 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit. oval:org.secpod.oval:def:95932 /etc/security/opasswd and it's backup /etc/security/opasswd.old hold user's previous passwords if pam_unix or pam_pwhistory is in use on the systemRationale:It is critical to ensure that /etc/security/opasswd is protected from unauthorized access. Although it is protected by default, the file permis ... oval:org.secpod.oval:def:707821 mariadb-10.6: MariaDB database - mariadb-10.3: MariaDB database Several security issues were fixed in MariaDB. oval:org.secpod.oval:def:708278 php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter PHP could be made to expose sensitive information. oval:org.secpod.oval:def:708217 libraw: raw image decoder library Several security issues were fixed in LibRaw. oval:org.secpod.oval:def:708110 cloud-init: initialization and customization tool for cloud instances cloud-init could write sensitive information to logs. oval:org.secpod.oval:def:708595 tang: network-based cryptographic binding server Tang could allow unintended access to secret keys. oval:org.secpod.oval:def:708246 libx11: X11 client-side library libx11 could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:708102 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Dnsmasq could cause transmission reliability issues when sending large DNS messages. oval:org.secpod.oval:def:708213 perl: Practical Extraction and Report Language Details: USN-6112-1 fixed vulnerabilities in Perl. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. Original advisory Perl could be made to install modules from untrusted sources. oval:org.secpod.oval:def:708224 sysstat: system performance tools for Linux Sysstat could be made to crash or run programs if it processed specially crafted data. oval:org.secpod.oval:def:708208 cups: Common UNIX Printing System CUPS could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:708241 c-ares: library for asynchronous name resolution Several security issues were fixed in c-ares. oval:org.secpod.oval:def:708223 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:708089 libreoffice: Office productivity suite LibreOffice could be made to run arbitrary code if an empty entry to the java class path is configured. oval:org.secpod.oval:def:90538 netatalk: Apple Filing Protocol service Several security issues were fixed in Netatalk. oval:org.secpod.oval:def:707788 dbus: simple interprocess messaging system Several security issues were fixed in DBus. oval:org.secpod.oval:def:705514 dbus: simple interprocess messaging system DBus could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:85307 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:707753 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:85074 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:708414 sox: Swiss army knife of sound processing SoX could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:91656 connman: Intel Connection Manager daemon Several security issues were fixed in ConnMan. oval:org.secpod.oval:def:708243 libcap2: POSIX 1003.1e capabilities Several security issues were fixed in libcap2. oval:org.secpod.oval:def:708403 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:706225 bluez: Bluetooth tools and daemons Several security issues were fixed in BlueZ. oval:org.secpod.oval:def:708465 cargo: Rust package manager - rust-cargo: Rust package manager - feature "openssl" Cargo could be made to run programs as your login if it installed a specially crafted crate. oval:org.secpod.oval:def:708574 krb5: MIT Kerberos Network Authentication Protocol Details: USN-6467-1 fixed a vulnerability in Kerberos. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. Original advisory Kerberos could be made to crash if it received specially crafted network ... oval:org.secpod.oval:def:708432 gawk: GNU awk, a pattern scanning and processing language gawk could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708130 freetype: FreeType 2 is a font engine library FreeType could be made to crash or possibly execute arbitrary code if it opened a specially crafted font file. oval:org.secpod.oval:def:708575 gsl: A modern numerical library for C and C++ programmers GNU Scientific Library could be made to crash or execute arbitrary code if it received specially crafted input. oval:org.secpod.oval:def:708444 libssh2: Client-side C library implementing the SSH2 protocol libssh2 could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:708429 flac: Free Lossless Audio Codec FLAC could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:708434 mutt: text-based mailreader supporting MIME, GPG, PGP and threading Mutt could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708366 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:708592 intel-microcode: Processor microcode for Intel CPUs The system could be made to crash or expose sensitive information under certain conditions. oval:org.secpod.oval:def:708594 strongswan: IPsec VPN solution strongSwan could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:708584 procps: /proc file system utilities procps-ng could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708210 avahi: IPv4LL network address configuration daemon Avahi could be made to crash if it received specially crafted DBus traffic. oval:org.secpod.oval:def:708597 avahi: IPv4LL network address configuration daemon Avahi could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708653 tar: GNU version of the tar archiving utility tar could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708669 gnome-control-center: utilities to configure the GNOME desktop GNOME Settings could allow unintended access to network services. oval:org.secpod.oval:def:708604 rabbitmq-server: AMQP server written in Erlang RabbitMQ could be made to denial of service if it received a specially crafted HTTP request. oval:org.secpod.oval:def:708339 gst-plugins-good1.0: GStreamer plugins GStreamer Good Plugins could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708338 gst-plugins-base1.0: GStreamer plugins GStreamer Base Plugins could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708370 haproxy: fast and reliable load balancing reverse proxy Details: USN-6294-1 fixed vulnerabilities in HAProxy. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory HAProxy could allow unintended access to network services. oval:org.secpod.oval:def:708440 libwebp: Lossy compression of digital photographic images libwebp could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708438 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708431 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs if it opened a malicious website. oval:org.secpod.oval:def:92538 inetutils: File Transfer Protocol client Inetutils could be made to crash or execute arbitrary code. oval:org.secpod.oval:def:708221 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708292 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708145 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708147 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708155 cups-filters: OpenPrinting CUPS Filters cups-filters could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:706099 c-ares: library for asynchronous name resolution c-ares could be made to return wrong domains. oval:org.secpod.oval:def:708639 request-tracker4: An enterprise-grade issue tracking system Several security issues were fixed in Request Tracker. oval:org.secpod.oval:def:708640 haproxy: fast and reliable load balancing reverse proxy HAProxy could be made to expose sensitive information. oval:org.secpod.oval:def:708674 audiofile: Open-source version of the SGI audiofile library Several security issues were fixed in audiofile. oval:org.secpod.oval:def:708675 yajl: Yet Another JSON Library Details: USN-6233-1 fixed vulnerabilities in YAJL. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. Original advisory Several security issues were fixed in YAJL. oval:org.secpod.oval:def:708466 python-git: Python library to interact with Git repositories GitPython could me made to execute arbitrary commands on the host. oval:org.secpod.oval:def:708658 netatalk: Apple Filing Protocol service Netatalk could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:708453 open-vm-tools: Open VMware Tools for virtual machines hosted on VMware Open VM Tools could allow unintended access to network services. oval:org.secpod.oval:def:708386 faad2: Freeware Advanced Audio Decoder Several security issues were fixed in FAAD2. oval:org.secpod.oval:def:708454 ruby-redcloth: Textile module for Ruby RedCloth could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:707818 freerdp2: RDP client for Windows Terminal Services Several security issues were fixed in FreeRDP. oval:org.secpod.oval:def:707625 dovecot: IMAP and POP3 email server Dovecot could allow unintended access to network services. oval:org.secpod.oval:def:707628 git: fast, scalable, distributed revision control system Git could be made to run arbitrary commands as an administrator if it received specially crafted inputs. oval:org.secpod.oval:def:708650 tinyxml: A simple, small, minimal, C++ XML parser TinyXML could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708281 containerd: daemon to control runC Several security issues were fixed in containerd. oval:org.secpod.oval:def:708357 golang-yaml.v2: YAML support for the Go language Several security issues were patched in the Go yaml package. oval:org.secpod.oval:def:707819 expat: XML parsing C library Details: USN-5638-1 fixed a vulnerability in Expat. This update provides the corresponding updates for Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. This update also fixes a minor regression introduced in Ubuntu 18.04 LTS. We a ... oval:org.secpod.oval:def:707749 python-django: High-level Python web development framework Django could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:82612 It was discovered that OpenJDK incorrectly computed exponentials. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17. oval:org.secpod.oval:def:708478 netty: Java NIO client/server socket framework Several security issues were fixed in Netty. oval:org.secpod.oval:def:706275 lxml: pythonic binding for the libxml2 and libxslt libraries lxml could be made to execute arbitrary code if it received a specially crafted XML or HTML file. oval:org.secpod.oval:def:706262 python-django: High-level Python web development framework Several security issues were fixed in Django. oval:org.secpod.oval:def:706101 postgresql-13: Object-relational SQL database - postgresql-12: Object-relational SQL database - postgresql-10: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:708487 python-git: Python library to interact with Git repositories GitPython could be made to run arbitrary commands on the host. oval:org.secpod.oval:def:708233 requests: elegant and simple HTTP library for Python Requests could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708220 nghttp2: HTTP/2 C Library and tools nghttp2 could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708133 sqlparse: documentation for non-validating SQL parser in Python SQL parse could be made to denial of service if it received a specially crafted regular expression. oval:org.secpod.oval:def:708120 python-django: High-level Python web development framework A Django hardening measure could be bypassed. oval:org.secpod.oval:def:705739 python-cryptography: Cryptography Python library python-cryptography could be made to expose sensitive information over the network. oval:org.secpod.oval:def:89581 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:708651 glibc: GNU C Library Several security issues were fixed in GNU C Library. oval:org.secpod.oval:def:708374 clamav: Anti-virus utility for Unix ClamAV could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708335 librsvg: renderer library for SVG files librsvg could be made to expose sensitive information. oval:org.secpod.oval:def:91655 ruby3.1: Interpreter of object-oriented scripting language Ruby - ruby3.0: Interpreter of object-oriented scripting language Ruby - ruby2.7: Object-oriented scripting language - ruby2.5: Object-oriented scripting language - ruby2.3: Object-oriented scripting language Several security issues were fix ... oval:org.secpod.oval:def:708127 ruby2.7: Object-oriented scripting language - ruby2.5: Object-oriented scripting language - ruby2.3: Object-oriented scripting language Details: USN-6055-1 fixed a vulnerability in Ruby. Unfortunately it introduced a regression. This update reverts the patches applied to CVE-2023-28755 in order to f ... oval:org.secpod.oval:def:708121 ruby2.7: Object-oriented scripting language - ruby2.5: Object-oriented scripting language - ruby2.3: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:707705 linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708240 binutils: GNU assembler, linker and binary utilities GNU binutils could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:82611 Neil Madden discovered that OpenJDK did not properly verify ECDSA signatures. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17 and OpenJDK 18. oval:org.secpod.oval:def:706113 mongodb: Document-oriented database MongoDB could provide unintended access. oval:org.secpod.oval:def:708590 python-pip: Python package installer Details: USN-6473-1 fixed vulnerabilities in urllib3. This update provides the corresponding updates for the urllib3 module bundled into pip. Original advisory Several security issues were fixed in pip. oval:org.secpod.oval:def:708577 python-urllib3: HTTP library with thread-safe connection pooling Several security issues were fixed in urllib3. oval:org.secpod.oval:def:708119 git: fast, scalable, distributed revision control system Several security issues were fixed in Git. oval:org.secpod.oval:def:705912 python3.8: Interactive high-level object-oriented language - python2.7: An interactive high-level object-oriented language - python3.6: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-or ... oval:org.secpod.oval:def:708680 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708214 libssh: A tiny C SSH library Several security issues were fixed in libssh. oval:org.secpod.oval:def:707627 xorg-server: X.Org X11 server - xwayland: Xwayland X server - xorg-server-hwe-18.04: X.Org X11 server Several security issues were fixed in X.Org X Server. oval:org.secpod.oval:def:97811 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97813 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97824 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be det ... oval:org.secpod.oval:def:97843 The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited b ... oval:org.secpod.oval:def:97819 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97814 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97816 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97812 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97825 Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis oval:org.secpod.oval:def:97832 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. oval:org.secpod.oval:def:97834 The Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. oval:org.secpod.oval:def:97823 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. oval:org.secpod.oval:def:97838 Linux has a special directory for storing logs called /var/log. This directory contains logs from the OS itself, services, and various applications running on the system. Only authorized personnel should be aware of logs and the details of the logs. It is critical to ensure that the /var/log directo ... oval:org.secpod.oval:def:97846 Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructu ... oval:org.secpod.oval:def:97828 When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment va ... oval:org.secpod.oval:def:97822 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. oval:org.secpod.oval:def:97836 Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. oval:org.secpod.oval:def:97833 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The fdisk command is an interactive tool that is used to ... oval:org.secpod.oval:def:97827 Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. oval:org.secpod.oval:def:97835 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional at ... oval:org.secpod.oval:def:97830 The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC ... oval:org.secpod.oval:def:97847 Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to ... oval:org.secpod.oval:def:97820 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97839 The /var/log/syslog file on Linux systems contains system messages logged by various services and the kernel. Only authorized personnel should be aware of logs and the details of the logs. It is critical to ensure that the /var/log/syslog directory is protected from unauthorized access. Although it ... oval:org.secpod.oval:def:97848 Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructu ... oval:org.secpod.oval:def:97849 Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filt ... oval:org.secpod.oval:def:97818 Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to ... oval:org.secpod.oval:def:97815 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97810 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97829 It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional at ... oval:org.secpod.oval:def:97821 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97817 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components wi ... oval:org.secpod.oval:def:97831 When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment va ... oval:org.secpod.oval:def:97840 If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. oval:org.secpod.oval:def:97837 Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including ... oval:org.secpod.oval:def:97844 The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in ac ... oval:org.secpod.oval:def:97845 The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in ac ... oval:org.secpod.oval:def:708607 gnutls28: GNU TLS library GnuTLS could be made to expose sensitive information over the network. oval:org.secpod.oval:def:96501 python-cryptography: Cryptography Python library Several security issues were fixed in python-cryptography. oval:org.secpod.oval:def:708474 vlc: multimedia player and streamer Several security issues were fixed in VLC media player. oval:org.secpod.oval:def:708389 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708337 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708295 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login. oval:org.secpod.oval:def:708280 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708570 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708264 cups: Common UNIX Printing System CUPS could be made to crash or expose sensitive information over the network. oval:org.secpod.oval:def:708232 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:708126 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:708309 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:708646 postgresql-15: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:708371 postgresql-15: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:92537 openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:92536 openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:708149 openjdk-17: Open Source Java implementation - openjdk-20: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:708336 openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:92535 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:92530 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:707884 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:705733 openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:708158 runc: Open Container Project Several security issues were fixed in runC. oval:org.secpod.oval:def:705995 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:72636 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:708649 bluez: Bluetooth tools and daemons BlueZ could be made to give a physically proximate attacker keyboard and mouse control of a computer. oval:org.secpod.oval:def:65976 Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and ta ... oval:org.secpod.oval:def:97841 If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. oval:org.secpod.oval:def:97826 In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users ... oval:org.secpod.oval:def:97842 Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. The sudoedit command is used to edit files with elevated ... oval:org.secpod.oval:def:98213 libclamunrar: anti-virus utility for Unix - unrar support Several security issues were fixed in libclamunrar. oval:org.secpod.oval:def:98214 golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go. oval:org.secpod.oval:def:98215 twisted: Event-based framework for internet applications Several security issues were fixed in Twisted. oval:org.secpod.oval:def:98216 freeimage: Support library for graphics image formats Several security issues were fixed in FreeImage. oval:org.secpod.oval:def:708710 xerces-c: Validating XML parser written in a portable subset of C++ Several security issues were fixed in Xerces-C++. oval:org.secpod.oval:def:708707 xerces-c: Validating XML parser written in a portable subset of C++ Details: USN-6579-1 fixed a vulnerability in Xerces-C++. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04 and Ubuntu 23.10. Original advisory Xerces-C++ could be made to crash or run ... oval:org.secpod.oval:def:98219 jinja2: documentation for the Jinja2 Python library Several security issues were fixed in jinja2. oval:org.secpod.oval:def:708751 libde265: Open H.265 video codec implementation Several security issues were fixed in libde265. oval:org.secpod.oval:def:708736 libde265: Open H.265 video codec implementation Several security issues were fixed in libde265. oval:org.secpod.oval:def:708689 golang-1.13: Go programming language compiler - golang-1.16: Go programming language compiler Details: USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. Original adviso ... oval:org.secpod.oval:def:708103 golang-1.18: Go programming language compiler - metapackage Several security issues were fixed in Go. oval:org.secpod.oval:def:708698 firefox: Mozilla Open Source web browser Details: USN-6562-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6562-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708772 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708684 clamav: Anti-virus utility for Unix ClamAV was updated to remain compatible with signature database downloads. oval:org.secpod.oval:def:708703 libspf2: Sender Policy Framework for SMTP authorization Several security issues were fixed in Libspf2. oval:org.secpod.oval:def:708732 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Details: USN-6587-1 fixed vulnerabilities in X.Org X Server. The fix was incomplete resulting in a possible regression. This update fixes the problem. We apologize for the inconvenience. Original advisory A regres ... oval:org.secpod.oval:def:708708 pam: Pluggable Authentication Modules PAM could be made to stop responding if it opened a specially crafted file. oval:org.secpod.oval:def:708740 postfix: High-performance mail transport agent Details: USN-6591-1 fixed vulnerabilities in Postfix. A fix with less risk of regression has been made available since the last update. This update updates the fix and aligns with the latest configuration guidelines regarding this vulnerability. We apol ... oval:org.secpod.oval:def:708714 postfix: High-performance mail transport agent Postfix could allow bypass of email authentication if it received specially crafted network traffic. oval:org.secpod.oval:def:708717 libapache-session-ldap-perl: Apache::Session::LDAP Perl module - Store Apache Session in LDAP Apache::Session::LDAP could be made to expose sensitive information through spoofing if it received invalid X.509 certificate. oval:org.secpod.oval:def:708719 mariadb: MariaDB database - mariadb-10.6: MariaDB database - mariadb-10.3: MariaDB database Several security issues were fixed in MariaDB. oval:org.secpod.oval:def:708746 firefox: Mozilla Open Source web browser Details: USN-6610-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory USN-6610-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708727 exim4: Exim is a mail transport agent Exim could be made to bypass an SPF protection mechanism if it received a specially crafted request. oval:org.secpod.oval:def:708731 tinyxml: A simple, small, minimal, C++ XML parser TinyXML could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708729 ceph: distributed storage and file system Ceph could be made to bypass authorization checks if it received a specially crafted request. oval:org.secpod.oval:def:708737 amanda: Advanced Maryland Automatic Network Disk Archiver amanda could be used to escalate privilege if it was provided with specially crafted arguments. oval:org.secpod.oval:def:708735 openldap: Lightweight Directory Access Protocol OpenLDAP could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708760 ujson: ultra fast JSON encoder and decoder for Python 3 Details: USN-6629-1 fixed vulnerabilities in UltraJSON. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory UltraJSON could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708763 shadow: system login tools shadow could be made to expose sensitive information. oval:org.secpod.oval:def:708712 libssh: A tiny C SSH library Several security issues were fixed in libssh. oval:org.secpod.oval:def:708709 zookeeper: High-performance coordination service for distributed applications Several security issues were fixed in ZooKeeper. oval:org.secpod.oval:def:707659 openjdk-17: Open Source Java implementation - openjdk-18: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:708734 mysql-8.0: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:708368 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708342 maradns: A small open-source DNS server Several security issues were fixed in MaraDNS. oval:org.secpod.oval:def:708769 tiff: Tag Image File Format library Several security issues were fixed in LibTIFF. oval:org.secpod.oval:def:708762 edk2: UEFI firmware for virtual machines Several security issues were fixed in EDK II. oval:org.secpod.oval:def:91654 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:93725 curl: cookie injection with none file. oval:org.secpod.oval:def:708713 gnutls28: GNU TLS library Several security issues were fixed in GnuTLS. oval:org.secpod.oval:def:708464 imagemagick: Image manipulation programs and library ImageMagick could be made to crash when processing the -help option. oval:org.secpod.oval:def:92533 tiff: Tag Image File Format library Several security issues were fixed in LibTIFF. oval:org.secpod.oval:def:706278 pillow: Python Imaging Library Several security issues were fixed in Pillow. oval:org.secpod.oval:def:707778 pillow: Python Imaging Library Details: USN-5227-1 fixed vulnerabilities in Pillow. It was discovered that the fix for CVE-2022-22817 was incomplete. This update fixes the problem. Original advisory An incomplete fix was discovered in Pillow. oval:org.secpod.oval:def:708754 python-glance-store: OpenStack Image Service store library Glance_store could be made to expose sensitive information. oval:org.secpod.oval:def:708700 w3m: WWW browsable pager with excellent tables/frames support w3m could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:85309 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:85076 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:707873 w3m: WWW browsable pager with excellent tables/frames support w3m could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:706021 lz4: Extremely fast compression algorithm LZ4 could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:708315 openssh: secure shell for secure access to remote machines OpenSSH could be made to run programs as your login when using ssh-agent forwarding. oval:org.secpod.oval:def:706190 libcaca: text mode graphics utilities libcaca could be made to crash if it received a specially crafted image. oval:org.secpod.oval:def:67763 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:705619 gupnp: framework for creating UPnP devices and control points gupnp could be made to expose sensitive information or perform network attacks if it received specially crafted network traffic. oval:org.secpod.oval:def:708815 puma: threaded HTTP 1.1 server for Ruby/Rack applications Several security issues were fixed in Puma. oval:org.secpod.oval:def:708813 libhtmlcleaner-java: Java HTML Parser library libhtmlcleaner-java could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:708847 graphviz: rich set of graph drawing tools Graphviz could be made to crash if it opened a specially crafted config6a file. oval:org.secpod.oval:def:708864 firefox: Mozilla Open Source web browser Details: USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory USN-6710-1 caused some minor regressions in Firefox. oval:org.secpod.oval:def:708867 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Details: USN-6721-1 fixed vulnerabilities in X.Org X Server. That fix was incomplete resulting in a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory A regression was ... oval:org.secpod.oval:def:708874 nss: Network Security Service library Details: USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-6727-1 in ... oval:org.secpod.oval:def:708873 squid: Web proxy cache server Details: USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic fix has been reverted pending further investigation. We apologize for the inconvenience. Original advisory US ... oval:org.secpod.oval:def:707652 net-snmp: SNMP server and applications Several security issues were fixed in Net-SNMP. oval:org.secpod.oval:def:707693 curl: HTTP, HTTPS, and FTP client and client libraries curl could be denied access to a HTTP content if it recieved a specially crafted cookie. oval:org.secpod.oval:def:707874 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:708681 sqlite3: C library that implements an SQL database engine Several security issues were fixed in SQLite. oval:org.secpod.oval:def:708571 axis: SOAP implementation in Java Axis could be made to crash or execute arbitrary code if it received specially crafted input. oval:org.secpod.oval:def:707658 libxml2: GNOME XML library libxml2 could be made to execute arbitrary code if it received a specially crafted file. oval:org.secpod.oval:def:708099 libxml2: GNOME XML library Several security issues were fixed in libxml2. oval:org.secpod.oval:def:708488 scipy: scientific library for Python - documentation Several security issues were fixed in SciPy. oval:org.secpod.oval:def:708655 binutils: GNU assembler, linker and binary utilities Several security issues were fixed in GNU binutils. oval:org.secpod.oval:def:708702 binutils: GNU assembler, linker and binary utilities Several security issues were fixed in GNU binutils. oval:org.secpod.oval:def:708118 libzen: ZenLib C++ utility library -- development files ZenLib could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:707723 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gkeop: Linux kernel for Google Container Engine systems - linux-ibm: Linux kernel for I ... oval:org.secpod.oval:def:707728 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-aws-5.15: Linux kernel for Amazon Web Services systems - ... oval:org.secpod.oval:def:707725 linux-hwe-5.15: Linux hardware enablement kernel - linux-lowlatency-hwe-5.15: Linux low latency kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707810 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:707812 linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-raspi: Linux kernel for Raspberry Pi systems - linux-gcp-5.15: Linux kernel for Google Cloud Platform systems - linux-gke-5.15: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707154 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-ibm: Linux kernel for IBM c ... oval:org.secpod.oval:def:707762 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707655 linux-oem-5.17: Linux kernel for OEM systems - linux-oem-5.14: Linux kernel for OEM systems The system could be made to run programs as an administrator. oval:org.secpod.oval:def:707654 linux: Linux kernel - linux-lowlatency: Linux low latency kernel - linux-hwe-5.15: Linux hardware enablement kernel - linux-lowlatency-hwe-5.15: Linux low latency kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707815 linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Google Container Engine systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux ... oval:org.secpod.oval:def:707807 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM c ... oval:org.secpod.oval:def:708293 dwarves-dfsg: set of advanced DWARF utilities Several security issues were fixed in dwarves. oval:org.secpod.oval:def:708482 python3.9: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:708216 python3.11: An interactive high-level object-oriented language - python3.10: An interactive high-level object-oriented language - python3.8: An interactive high-level object-oriented language - python2.7: An interactive high-level object-oriented language - python3.6: An interactive high-level objec ... oval:org.secpod.oval:def:707635 python2.7: An interactive high-level object-oriented language - python3.10: Interactive high-level object-oriented language - python3.9: Interactive high-level object-oriented language - python3.8: An interactive high-level object-oriented language - python3.6: An interactive high-level object-ori ... oval:org.secpod.oval:def:706426 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gcp-5.13: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Google Container E ... oval:org.secpod.oval:def:706410 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-azure: Linux kernel for Microsoft Azure Cloud sys ... oval:org.secpod.oval:def:706404 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Go ... oval:org.secpod.oval:def:706398 linux-oem-5.14: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706391 linux-intel-5.13: Linux kernel for Intel IOTG Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706378 linux-oem-5.14: Linux kernel for OEM systems The system could be made to crash or run programs as an administrator. oval:org.secpod.oval:def:706365 linux-bluefield: Linux kernel for NVIDIA BlueField platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706341 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:708602 nodejs: An open-source, cross-platform JavaScript runtime environment. Several security issues were fixed in Node.js. oval:org.secpod.oval:def:707739 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK. oval:org.secpod.oval:def:707679 rsync: fast, versatile, remote file-copying tool rsync could be made to crash or run programs if it received specially crafted input. oval:org.secpod.oval:def:96505 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:708096 vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim. oval:org.secpod.oval:def:706214 linux-oem-5.10: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706210 linux-oem-5.14: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706212 linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-oracle: Linux kernel for Oracle Cloud systems - linux-gke-5.4: Linux kernel for Google Container Engine systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706207 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:706206 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:706191 linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Google Container Engine systems - linux-oracle: Linux kernel for Oracle Cloud systems ... oval:org.secpod.oval:def:706193 linux-azure-5.8: Linux kernel for Microsoft Azure cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706188 linux: Linux kernel - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-kvm: Linux kernel for cloud environments - linux-gcp-5.4: Linux kernel for Google Cloud Platform systems - linux-hwe-5.4: Linux hardware enablement kernel Several security issues were fixed in the Linux kern ... oval:org.secpod.oval:def:706187 linux-oem-5.10: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706189 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi: Linux kernel for Raspberry Pi syst ... oval:org.secpod.oval:def:706183 linux-oem-5.13: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706174 linux-oem-5.10: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706164 linux-raspi: Linux kernel for Raspberry Pi systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706156 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:706148 linux-raspi: Linux kernel for Raspberry Pi systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706143 linux-oem-5.13: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706132 linux-azure-5.8: Linux kernel for Microsoft Azure cloud systems - linux-oem-5.10: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706131 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:706130 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:705697 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:708436 modsecurity-apache: Tighten web applications security for Apache Several security issues were fixed in ModSecurity. oval:org.secpod.oval:def:706045 intel-microcode: Processor microcode for Intel CPUs Several security issues were fixed in Intel Microcode. oval:org.secpod.oval:def:83403 libxslt: XSLT processing library Several security issues were fixed in Libxslt. oval:org.secpod.oval:def:708610 apache2: Apache HTTP server Several security issues were fixed in Apache HTTP Server. oval:org.secpod.oval:def:708263 bind9: Internet Domain Name Server Several security issues were fixed in Bind. oval:org.secpod.oval:def:708228 linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708088 linux-bluefield: Linux kernel for NVIDIA BlueField platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708053 linux-oem-5.17: Linux kernel for OEM systems - linux-oem-5.14: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708056 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:708692 linux-iot: Linux kernel for IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708688 linux-gkeop: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708667 linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708662 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM c ... oval:org.secpod.oval:def:708657 linux-raspi: Linux kernel for Raspberry Pi systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708288 linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708285 linux-gke: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708274 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-raspi: Linux kernel for Raspberry Pi systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: ... oval:org.secpod.oval:def:708307 linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708392 amd64-microcode: Processor microcode firmware for AMD CPUs AMD processors may allow an attacker to expose sensitive information due to a speculative execution vulnerability. oval:org.secpod.oval:def:708135 linux-raspi: Linux kernel for Raspberry Pi systems - linux-raspi-5.4: Linux kernel for Raspberry Pi systems - linux-raspi2: Linux kernel for Raspberry Pi systems The system could be made to run programs as an administrator. oval:org.secpod.oval:def:708137 linux-raspi: Linux kernel for Raspberry Pi systems - linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708116 linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708317 amd64-microcode: Processor microcode firmware for AMD CPUs AMD processors may allow an attacker to expose sensitive information due to a vector register speculative execution vulnerability. oval:org.secpod.oval:def:708333 linux-iot: Linux kernel for IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708328 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:708327 linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708322 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel fo ... oval:org.secpod.oval:def:708637 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gkeop: Linux kernel for Google Container Engine systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems - linux-gcp-5.4: Linux kernel for Google Cloud P ... oval:org.secpod.oval:def:708695 linux-gcp-5.15: Linux kernel for Google Cloud Platform systems - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708668 linux-lowlatency: Linux low latency kernel - linux-lowlatency-hwe-5.15: Linux low latency kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708663 linux-gkeop: Linux kernel for Google Container Engine systems - linux-gkeop-5.15: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708660 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel fo ... oval:org.secpod.oval:def:708743 openssl: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:708286 linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708266 linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine sy ... oval:org.secpod.oval:def:708026 linux-ibm: Linux kernel for IBM cloud systems - linux-ibm-5.4: Linux kernel for IBM cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708012 linux-raspi: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708249 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:708244 linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708229 linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-raspi: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708212 linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708211 linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-aws-5.4: Linux kernel for Amazon Web Services systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708207 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:708202 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - ... oval:org.secpod.oval:def:708209 linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708194 linux-oracle: Linux kernel for Oracle Cloud systems - linux-oracle-5.4: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708152 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud envir ... oval:org.secpod.oval:def:708369 linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors - linux-hwe-5.4: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708355 intel-microcode: Processor microcode for Intel CPUs Several security issues were fixed in Intel Microcode. oval:org.secpod.oval:def:708353 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gkeop: Linux kernel for Google Container Engine systems - linux-iot: Linux kernel for IoT platforms - linux-kvm: Linux kernel for cloud environments - ... oval:org.secpod.oval:def:706389 linux-azure-5.13: Linux kernel for Microsoft Azure cloud systems - linux-oracle-5.13: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708325 linux-iot: Linux kernel for IoT platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707650 linux-bluefield: Linux kernel for NVIDIA BlueField platforms - linux-gcp-5.4: Linux kernel for Google Cloud Platform systems - linux-gke-5.4: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707851 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707856 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708097 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Goo ... oval:org.secpod.oval:def:708091 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel fo ... oval:org.secpod.oval:def:708074 linux-bluefield: Linux kernel for NVIDIA BlueField platforms Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708057 linux-gke: Linux kernel for Google Container Engine systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-gke-5.15: Linux kernel for Google Container Engine systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:708054 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gkeop: Linux kernel ... oval:org.secpod.oval:def:708294 linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:98212 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:90541 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:708831 vim: Vi IMproved - enhanced vi editor Vim could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:708832 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:708848 crmsh: CRM shell for the pacemaker cluster manager CRM shell could be made to execute arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:708849 debian-goodies: Small toolbox-style utilities for Debian systems debmany in Debian Goodies could be made to execute arbitrary shell commands if it received a specially crafted deb file. oval:org.secpod.oval:def:708852 libnet-cidr-lite-perl: module for merging IPv4 or IPv6 CIDR address ranges Net::CIDR::Lite could allow unintended access to network services. oval:org.secpod.oval:def:706422 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:708728 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708860 unixodbc: Basic ODBC tools unixODBC could be made to crash or execute arbitrary code. oval:org.secpod.oval:def:708869 util-linux: miscellaneous system utilities Details: USN-6719-1 fixed a vulnerability in util-linux. Unfortunately, it was discovered that the fix did not fully address the issue. This update removes the setgid permission bit from the wall and write utilities. Original advisory util-linux could be ma ... oval:org.secpod.oval:def:708858 util-linux: miscellaneous system utilities util-linux could be made to expose sensitive information. oval:org.secpod.oval:def:708875 - maven-shared-utils: A collection of Maven utility classes. maven-shared-utils could be made to run programs if it received specially crafted input. oval:org.secpod.oval:def:708879 yard: Ruby documentation tool Several security issues were fixed in yard. oval:org.secpod.oval:def:708679 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:99099 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:99100 squid: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:708716 squid: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:708283 python-django: High-level Python web development framework Django could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:708435 python-django: High-level Python web development framework Django could be made to crash or consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:708744 python-django: High-level Python web development framework Django could be made to denial of service if received a specially crafted input. oval:org.secpod.oval:def:708588 quagga: BGP/OSPF/RIP routing daemon Quagga could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:708613 nghttp2: HTTP/2 C Library and tools nghttp2 could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:708242 glib2.0: GLib library of C routines Several security issues were fixed in GLib. oval:org.secpod.oval:def:708310 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:707883 heimdal: Heimdal Kerberos Network Authentication Protocol Several security issues were fixed in Heimdal. oval:org.secpod.oval:def:707651 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:706161 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - li ... oval:org.secpod.oval:def:706163 linux-oem-5.13: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:706159 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-signed-azure: Signed kernel image azure - linux-azure-5.11: Linux kernel for Microsoft Azure cloud systems - linux-hwe-5.11: Linux hardware enablement kernel - linux-oracle-5.11: Linux kernel for Oracle Cloud systems Several securi ... oval:org.secpod.oval:def:705735 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:708677 openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH. oval:org.secpod.oval:def:708676 libssh: A tiny C SSH library A security issue was fixed in libssh. oval:org.secpod.oval:def:708723 paramiko: Python SSH2 library A protocol flaw was fixed in Paramiko. oval:org.secpod.oval:def:708711 filezilla: Full-featured graphical FTP/FTPS/SFTP client FileZilla could be made to expose sensitive information over the network. oval:org.secpod.oval:def:708739 runc: Open Container Project runC could be made to expose sensitive information or allow to escape contianers. oval:org.secpod.oval:def:707647 mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:708697 golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go. oval:org.secpod.oval:def:708419 grub2-signed: GRand Unified Bootloader - grub2-unsigned: GRand Unified Bootloader - shim: boot loader to chain-load signed boot loaders under Secure Boot - shim-signed: Secure Boot chain-loading bootloader Several security issues were fixed in GRUB2. oval:org.secpod.oval:def:707144 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Go ... oval:org.secpod.oval:def:707141 linux-oem-5.14: Linux kernel for OEM systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:707139 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud sys ... oval:org.secpod.oval:def:708635 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-gke: Linux kernel for Google Container Engine systems - linux-gkeop: Linux kernel for Google Contain ... oval:org.secpod.oval:def:708367 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-kvm: Linux kernel for cloud environments - linu ... oval:org.secpod.oval:def:708670 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Several security issues were fixed in X.Org X Server. oval:org.secpod.oval:def:708706 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Several security issues were fixed in X.Org X Server. oval:org.secpod.oval:def:708877 gnutls28: GNU TLS library Several security issues were fixed in GnuTLS. oval:org.secpod.oval:def:708856 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:708840 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:96507 openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH. oval:org.secpod.oval:def:98220 pillow: Python Imaging Library Several security issues were fixed in Pillow. oval:org.secpod.oval:def:94745 squid: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:708863 xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Several security issues were fixed in X.Org X Server, xwayland. oval:org.secpod.oval:def:708878 libvirt: Libvirt virtualization toolkit Several security issues were fixed in libvirt. oval:org.secpod.oval:def:708872 apache2: Apache HTTP server Several security issues were fixed in Apache HTTP Server. oval:org.secpod.oval:def:708859 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:708768 bind9: Internet Domain Name Server Several security issues were fixed in Bind. oval:org.secpod.oval:def:708643 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:708851 firefox: Mozilla Open Source web browser Several security issues were fixed in Firefox. oval:org.secpod.oval:def:708672 libreoffice: Office productivity suite Details: USN-6546-1 fixed vulnerabilities in LibreOffice. This update provides the corresponding updates for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Original advisory Several security issues were fixed in LibreOffice. |
