Ubuntu 6592 Published by

Ubuntu Linux has received an update that includes multiple security patches, addressing vulnerabilities in AsyncSSH, WebKitGTK, GLib, and curl:

[USN-7108-1] AsyncSSH vulnerabilities
[USN-7113-1] WebKitGTK vulnerabilities
[USN-7114-1] GLib vulnerability
[USN-7104-1] curl vulnerability





[USN-7108-1] AsyncSSH vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7108-1
November 18, 2024

python-asyncssh vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several issues were fixed in AsyncSSH.

Software Description:
- python-asyncssh: asyncio-based client and server implementation of SSHv2
protocol

Details:

Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSH
did not properly handle the extension info message. An attacker able to
intercept communications could possibly use this issue to downgrade
the algorithm used for client authentication. (CVE-2023-46445)

Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSH
did not properly handle the user authentication request message. An
attacker could possibly use this issue to control the remote end of an SSH
client session via packet injection/removal and shell emulation.
(CVE-2023-46446)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  python3-asyncssh                2.10.1-2ubuntu0.1+esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  python3-asyncssh                2.5.0-1ubuntu0.1

Ubuntu 20.04 LTS
  python3-asyncssh                1.12.2-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7108-1
  CVE-2023-46445, CVE-2023-46446

Package Information:
https://launchpad.net/ubuntu/+source/python-asyncssh/2.5.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-asyncssh/1.12.2-1ubuntu0.2



[USN-7113-1] WebKitGTK vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7113-1
November 18, 2024

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.24.10.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.24.10.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.24.10.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.24.10.1

Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.46.3-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.22.04.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.46.3-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.22.04.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7113-1
CVE-2024-44244, CVE-2024-44296

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.22.04.1



[USN-7114-1] GLib vulnerability


==========================================================================
Ubuntu Security Notice USN-7114-1
November 18, 2024

glib2.0 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

GLib could be made to crash or other undefined behavior
if it received a specially crafted input.

Software Description:
- glib2.0: GLib library of C routines

Details:

It was discovered that Glib incorrectly handled certain trailing
characters. An attacker could possibly use this issue to cause
a crash or other undefined behavior.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libglib2.0-0t64 2.80.0-6ubuntu3.2
libglib2.0-bin 2.80.0-6ubuntu3.2

Ubuntu 22.04 LTS
libglib2.0-0 2.72.4-0ubuntu2.4
libglib2.0-bin 2.72.4-0ubuntu2.4

Ubuntu 20.04 LTS
libglib2.0-0 2.64.6-1~ubuntu20.04.8
libglib2.0-bin 2.64.6-1~ubuntu20.04.8

Ubuntu 18.04 LTS
libglib2.0-0 2.56.4-0ubuntu0.18.04.9+esm4
Available with Ubuntu Pro
libglib2.0-bin 2.56.4-0ubuntu0.18.04.9+esm4
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libglib2.0-0 2.48.2-0ubuntu4.8+esm4
Available with Ubuntu Pro
libglib2.0-bin 2.48.2-0ubuntu4.8+esm4
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7114-1
CVE-2024-52533

Package Information:
https://launchpad.net/ubuntu/+source/glib2.0/2.80.0-6ubuntu3.2
https://launchpad.net/ubuntu/+source/glib2.0/2.72.4-0ubuntu2.4
https://launchpad.net/ubuntu/+source/glib2.0/2.64.6-1~ubuntu20.04.8



[USN-7104-1] curl vulnerability


==========================================================================
Ubuntu Security Notice USN-7104-1
November 18, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

curl could be made to expose sensitive information over the network.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

It was discovered that curl could overwrite the HSTS expiry of the parent
domain with the subdomain's HSTS entry. This could lead to curl switching
back to insecure HTTP earlier than otherwise intended, resulting in
information exposure.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  curl                            8.9.1-2ubuntu2.1
  libcurl3t64-gnutls              8.9.1-2ubuntu2.1
  libcurl4t64                     8.9.1-2ubuntu2.1

Ubuntu 24.04 LTS
  curl                            8.5.0-2ubuntu10.5
  libcurl3t64-gnutls              8.5.0-2ubuntu10.5
  libcurl4t64                     8.5.0-2ubuntu10.5

Ubuntu 22.04 LTS
  curl                            7.81.0-1ubuntu1.19
  libcurl3-gnutls                 7.81.0-1ubuntu1.19
  libcurl3-nss                    7.81.0-1ubuntu1.19
  libcurl4                        7.81.0-1ubuntu1.19

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7104-1
  CVE-2024-9681

Package Information:
  https://launchpad.net/ubuntu/+source/curl/8.9.1-2ubuntu2.1
  https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.5
  https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.19