Ubuntu 6366 Published by

The following updates have been released for Ubuntu Linux:

[USN-6779-1] Firefox vulnerabilities
[USN-6780-1] idna vulnerability
[USN-6781-1] Spreadsheet::ParseExcel vulnerability
[USN-6777-3] Linux kernel (GCP) vulnerabilities
[USN-6775-2] Linux kernel vulnerabilities




[USN-6779-1] Firefox vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6779-1
May 21, 2024

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)

Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-4764)

Thomas Rinsma discovered that Firefox did not properly handle type check
when handling fonts in PDF.js. An attacker could potentially exploit this
issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367)

Irvan Kurniawan discovered that Firefox did not properly handle certain
font styles when saving a page to PDF. An attacker could potentially
exploit this issue to cause a denial of service. (CVE-2024-4770)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
firefox 126.0+build2-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the
necessary changes.

References:
https://ubuntu.com/security/notices/USN-6779-1
CVE-2024-4367, CVE-2024-4764, CVE-2024-4767, CVE-2024-4768,
CVE-2024-4769, CVE-2024-4770, CVE-2024-4771, CVE-2024-4772,
CVE-2024-4773, CVE-2024-4774, CVE-2024-4775, CVE-2024-4776,
CVE-2024-4777, CVE-2024-4778

Package Information:
https://launchpad.net/ubuntu/+source/firefox/126.0+build2-0ubuntu0.20.04.1



[USN-6780-1] idna vulnerability


==========================================================================
Ubuntu Security Notice USN-6780-1
May 21, 2024

python-idna vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

idna could be made to consume significant resources if it receives a specially crafted input.

Software Description:
- python-idna: Python IDNA2008 (RFC 5891) handling

Details:

Guido Vranken discovered that idna did not properly manage certain inputs,
which could lead to significant resource consumption. An attacker could
possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  python3-idna                    3.6-2ubuntu0.1

Ubuntu 23.10
  python3-idna                    3.3-2ubuntu0.1

Ubuntu 22.04 LTS
  python3-idna                    3.3-1ubuntu0.1

Ubuntu 20.04 LTS
  python-idna                     2.8-1ubuntu0.1
  python3-idna                    2.8-1ubuntu0.1

Ubuntu 18.04 LTS
  pypy-idna                       2.6-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python-idna                     2.6-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-idna                    2.6-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  pypy-idna                       2.0-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python-idna                     2.0-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-idna                    2.0-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6780-1
  CVE-2024-3651

Package Information:
  https://launchpad.net/ubuntu/+source/python-idna/3.6-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/python-idna/3.3-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/python-idna/3.3-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/python-idna/2.8-1ubuntu0.1



[USN-6781-1] Spreadsheet::ParseExcel vulnerability


==========================================================================
Ubuntu Security Notice USN-6781-1
May 21, 2024

libspreadsheet-parseexcel-perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Spreadsheet::ParseExcel could possibly run commands if it processed a
specially crafted file.

Software Description:
- libspreadsheet-parseexcel-perl: Perl module to access information from
Excel Spreadsheets

Details:

Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing
unvalidated input from a file into a string-type "eval". An attacker
could craft a malicious file to achieve arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
libspreadsheet-parseexcel-perl 0.6500-1.1ubuntu0.1

Ubuntu 20.04 LTS
libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.20.04.1

Ubuntu 18.04 LTS
libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.18.04.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.16.04.1~esm1
Available with Ubuntu Pro

Ubuntu 14.04 LTS
libspreadsheet-parseexcel-perl 0.5800-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6781-1
CVE-2023-7101

Package Information:
https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1.1ubuntu0.1
https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1ubuntu0.20.04.1



[USN-6777-3] Linux kernel (GCP) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6777-3
May 21, 2024

linux-gcp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems

Details:

Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Block layer subsystem;
- Userspace I/O drivers;
- Ceph distributed file system;
- Ext4 file system;
- JFS file system;
- NILFS2 file system;
- Bluetooth subsystem;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- Logical Link layer;
- MAC80211 subsystem;
- Netlink;
- NFC subsystem;
- Tomoyo security module;
(CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439,
CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704,
CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622,
CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1162-gcp 4.15.0-1162.179~16.04.1
Available with Ubuntu Pro
linux-image-gcp 4.15.0.1162.179~16.04.1
Available with Ubuntu Pro
linux-image-gke 4.15.0.1162.179~16.04.1
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6777-3
https://ubuntu.com/security/notices/USN-6777-1
CVE-2021-46981, CVE-2023-47233, CVE-2023-52439, CVE-2023-52524,
CVE-2023-52530, CVE-2023-52566, CVE-2023-52583, CVE-2023-52601,
CVE-2023-52602, CVE-2023-52604, CVE-2024-26614, CVE-2024-26622,
CVE-2024-26635, CVE-2024-26704, CVE-2024-26735, CVE-2024-26801,
CVE-2024-26805



[USN-6775-2] Linux kernel vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6775-2
May 21, 2024

linux-aws, linux-aws-5.15, linux-gke vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems

Details:

Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- MAC80211 subsystem;
- Tomoyo security module;
(CVE-2024-26622, CVE-2023-52530)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
linux-image-5.15.0-1059-gke 5.15.0-1059.64
linux-image-5.15.0-1062-aws 5.15.0-1062.68
linux-image-aws-lts-22.04 5.15.0.1062.62
linux-image-gke 5.15.0.1059.58
linux-image-gke-5.15 5.15.0.1059.58

Ubuntu 20.04 LTS
linux-image-5.15.0-1062-aws 5.15.0-1062.68~20.04.1
linux-image-aws 5.15.0.1062.68~20.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6775-2
https://ubuntu.com/security/notices/USN-6775-1
CVE-2023-47233, CVE-2023-52530, CVE-2024-26622

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1062.68
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1059.64
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1062.68~20.04.1