What does USN-4171-5 address?

USN-4171-5 addresses a regression in autopkgtest and Python 2 compatibility after USN-4171-1 fixed vulnerabilities in Apport.

How do I fix the vulnerabilities identified in USN-4171-5?

To fix the vulnerabilities described in USN-4171-5, you should upgrade the apport and python-apport packages to the recommended versions: 2.20.11-0ubuntu8.6 for Ubuntu 19.10 and corresponding versions for other affected Ubuntu releases.

Which versions of Ubuntu are affected by USN-4171-5?

USN-4171-5 affects Ubuntu 19.10, 18.04, and 16.04 with specific versions of the apport and python-apport packages.

What is the impact of the issues resolved by USN-4171-5?

The issues resolved by USN-4171-5 could potentially lead to compatibility issues with automated testing on those systems.

Is there a workaround for the issues identified in USN-4171-5?

Currently, there are no specific workarounds mentioned for the issues in USN-4171-5; updating the affected packages is recommended.

Vulnerability/
USN-4171-5

18/3/2020

USN-4171-5: Apport regression

First published: Wed Mar 18 2020(Updated: )

USN-4171-1 fixed vulnerabilities in Apport. This caused a regression in autopkgtest and python2 compatibility. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. (CVE-2019-11481) Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-11482) Sander Bos discovered Apport mishandled crash dumps originating from containers. This could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-11483) Sander Bos discovered Apport mishandled lock-file creation. This could be used by a local attacker to cause a denial of service against Apport. (CVE-2019-11485) Kevin Backhouse discovered Apport read various process-specific files with elevated privileges during crash dump generation. This could could be used by a local attacker to generate a crash report for a privileged process that is readable by an unprivileged user. (CVE-2019-15790)

Affected Software	Affected Version	How to fix
All of
ubuntu/apport	<2.20.11-0ubuntu8.6	2.20.11-0ubuntu8.6
Ubuntu OpenSSH Client	=19.10
All of
ubuntu/python-apport	<2.20.11-0ubuntu8.6	2.20.11-0ubuntu8.6
Ubuntu OpenSSH Client	=19.10
All of
ubuntu/python3-apport	<2.20.11-0ubuntu8.6	2.20.11-0ubuntu8.6
Ubuntu OpenSSH Client	=19.10
All of
ubuntu/apport	<2.20.9-0ubuntu7.12	2.20.9-0ubuntu7.12
Ubuntu OpenSSH Client	=18.04
All of
ubuntu/python-apport	<2.20.9-0ubuntu7.12	2.20.9-0ubuntu7.12
Ubuntu OpenSSH Client	=18.04
All of
ubuntu/python3-apport	<2.20.9-0ubuntu7.12	2.20.9-0ubuntu7.12
Ubuntu OpenSSH Client	=18.04
All of
ubuntu/apport	<2.20.1-0ubuntu2.22	2.20.1-0ubuntu2.22
Ubuntu OpenSSH Client	=16.04
All of
ubuntu/python-apport	<2.20.1-0ubuntu2.22	2.20.1-0ubuntu2.22
Ubuntu OpenSSH Client	=16.04
All of
ubuntu/python3-apport	<2.20.1-0ubuntu2.22	2.20.1-0ubuntu2.22
Ubuntu OpenSSH Client	=16.04

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What does USN-4171-5 address?
USN-4171-5 addresses a regression in autopkgtest and Python 2 compatibility after USN-4171-1 fixed vulnerabilities in Apport.
How do I fix the vulnerabilities identified in USN-4171-5?
To fix the vulnerabilities described in USN-4171-5, you should upgrade the apport and python-apport packages to the recommended versions: 2.20.11-0ubuntu8.6 for Ubuntu 19.10 and corresponding versions for other affected Ubuntu releases.
Which versions of Ubuntu are affected by USN-4171-5?
USN-4171-5 affects Ubuntu 19.10, 18.04, and 16.04 with specific versions of the apport and python-apport packages.
What is the impact of the issues resolved by USN-4171-5?
The issues resolved by USN-4171-5 could potentially lead to compatibility issues with automated testing on those systems.
Is there a workaround for the issues identified in USN-4171-5?
Currently, there are no specific workarounds mentioned for the issues in USN-4171-5; updating the affected packages is recommended.

agent/severity
agent/references
agent/type
agent/first-publish-date
agent/last-modified-date
agent/event
agent/description
agent/title
agent/source
agent/tags
agent/softwarecombine
collector/usn
source/Ubuntu
agent/software-canonical-lookup
agent/software-canonical-lookup-request
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu openssh client
version/ubuntu openssh client/19.10
version/ubuntu openssh client/18.04
version/ubuntu openssh client/16.04