==========================================================================
Ubuntu Security Notice USN-6730-1
April 11, 2024

maven-shared-utils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

maven-shared-utils could be made to run programs if it received
specially crafted input.

Software Description:
- - maven-shared-utils: A collection of Maven utility classes.

Details:

It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 3.3.0-1ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.9-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6730-1
CVE-2022-29599

Package Information:
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYYcLwACgkQ3gXQmO/T
r3yYcRAAgdreHC0o+VtyTJL/jorqqs7vKGZv4qC0XhaP69STRNtlSR4rG4I9wRqm
BOhmBVLJylEtxfAxiWrnag5N04CBR12nr/Shk+JCm06e/5ROnu9LYiCoMowORZzy
Nnlu82qRmCwvnL9iSWzI4wnArDehMVniOCMmWNCfpa6/UXoh1gVCjikRAWRlBOAv
uA0KrR0cNwJ90G5wuB59zqxoUPZBf+AVCkjXYSv5WbWTvLrZbz8zhmKvc8kqu1OL
0D05mwH5kxXuhapZ8kBqapytjP+GmuRjHFI7kk+3yhPul2J0JDcNGO99lOZ2lUfz
IXk1S/XQTt2aEhdoanrpI6lVXcVHA0yr5I03bFEDg8D1BwZRm29KBrH2wsHdpN6J
XWIHfaHR7kYfDVsm9kpc72b7jv/aDD66vPsI/W3A/2QttpwpjwXgZSc2Mtx/WE+T
O5/b0jtpNrwHHYLigE2PYMPaRPjxtxhQ7qnd6FccNQl9+fOrKw9NHBAu0r5s4jlI
cU9d47W/mdEcM3y5OuSe8lN6rtHsvnjaQxuuO5lCLKIOpohi7YyyaU5aHGXns34P
FnImexzC8YxRvbR5ku/4ZgOAcPv9kC0wMDiC7rggqLGlhsohoca1wXG2TRIsinx5
fRFjffvqcF6bbfyjWIKKZaM4y1QmhX3+Eth77QEqLb0InJAWDp4=
=P4zw
-----END PGP SIGNATURE-----