[USN-7474-1] Docker vulnerabilities
[USN-7473-1] Ghostscript vulnerability
[USN-7472-1] Micropython vulnerabilities
[USN-7474-1] Docker vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7474-1
May 01, 2025
docker.io vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Docker.
Software Description:
- docker.io: reusable Go packages included with Docker
Details:
Cory Snider discovered that Docker incorrectly handled networking packet
encapsulation. An attacker could use this issue to inject internet
packets in established connection, possibly causing a denial of service or
bypassing firewall protections. This issue only affected Ubuntu 22.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. (CVE-2023-28840, CVE-2023-28841,
CVE-2023-28842)
Rory McNamara discovered that Docker incorrectly handled cache in the
BuildKit toolkit. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-23651)
It was discovered that Docker incorrectly handled parallel operations in
some circumstances, which could possibly lead to undefined behavior.
(CVE-2024-36621, CVE-2024-36623)
Rory McNamara discovered that Docker incorrectly verified file paths during
a certain command in the BuildKit toolkit. An attacker could possibly use
this issue to delete arbitrary files from the system. (CVE-2024-23652)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
golang-github-docker-docker-dev 20.10.25+dfsg1-2ubuntu1+esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
golang-github-docker-docker-dev 20.10.21-0ubuntu1~22.04.7+esm2
Available with Ubuntu Pro
Ubuntu 20.04 LTS
golang-github-docker-docker-dev 20.10.21-0ubuntu1~20.04.6+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
docker.io 20.10.21-0ubuntu1~18.04.3+esm3
Available with Ubuntu Pro
golang-github-docker-docker-dev 20.10.21-0ubuntu1~18.04.3+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7474-1
CVE-2023-28840, CVE-2023-28841, CVE-2023-28842, CVE-2024-23651,
CVE-2024-23652, CVE-2024-36621, CVE-2024-36623
[USN-7473-1] Ghostscript vulnerability
==========================================================================
Ubuntu Security Notice USN-7473-1
May 01, 2025
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
Summary:
Ghostscript could be made to crash, run programs, or read files if it
opened a specially crafted file.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled parsing certain PS
files. An attacker could use this issue to cause Ghostscript to crash,
resulting in a denial of service, or possibly bypass file path validation.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
ghostscript 10.03.1~dfsg1-0ubuntu2.3
libgs10 10.03.1~dfsg1-0ubuntu2.3
Ubuntu 24.04 LTS
ghostscript 10.02.1~dfsg1-0ubuntu7.6
libgs10 10.02.1~dfsg1-0ubuntu7.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7473-1
CVE-2025-46646
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.03.1~dfsg1-0ubuntu2.3
https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.6
[USN-7472-1] Micropython vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7472-1
May 01, 2025
micropython vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in micropython.
Software Description:
- micropython: Implementation of Python 3.x on microcontrollers and small embedded systems.
Details:
Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
the length of a buffer in mp_vfs_umount, leading to a heap-based buffer
overflow vulnerability. If a user or automated system were tricked into
opening a specially crafted file, an attacker could possibly use this issue
to cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8946)
Junwha Hong and Wonil Jang discovered that Micropython incorrectly handled
memory, leading to a use-after-free vulnerability under certain
circumstances. If a user or automated system were tricked into opening a
specially crafted file, an attacker could possibly use this issue to
cause a denial of service or possibly execute arbitrary code.
(CVE-2024-8947)
It was discovered that Middleware USB Host MCU Component incorrectly
handled memory, leading to a buffer overflow vulnerability. If a user or
automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service or
possibly execute arbitrary code. (CVE-2021-42553)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
micropython 1.22.1+ds-1ubuntu0.24.10.1
Ubuntu 24.04 LTS
micropython 1.22.1+ds-1ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
micropython 1.17+ds-1.1ubuntu2+esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
micropython 1.12-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7472-1
CVE-2021-42553, CVE-2024-8946, CVE-2024-8947
Package Information:
https://launchpad.net/ubuntu/+source/micropython/1.22.1+ds-1ubuntu0.24.10.1
