[USN-7230-2] FRR vulnerabilities
[USN-7230-1] Quagga vulnerability
[USN-7179-4] Linux kernel (Xilinx ZynqMP) vulnerabilities
[USN-7229-1] ClamAV vulnerability
[USN-7228-1] LibreOffice vulnerabilities
[USN-7230-2] FRR vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7230-2
January 27, 2025
frr vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
FRR could be made to crash or exhibit degraded performance if it received
specially crafted network traffic.
Software Description:
- frr: FRRouting suite of internet protocols
Details:
Iggy Frankovic discovered that FRR incorrectly handled certain BGP
messages. A remote attacker could possibly use this issue to cause FRR to
crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS. (CVE-2024-44070)
It was discovered that FRR re-validated all routes in certain instances
when the internal socket's buffer size overflowed. A remote attacker could
possibly use this issue to impact the performance of FRR, resulting in a
denial of service. (CVE-2024-55553)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
frr 10.0.1-0.1ubuntu3
Ubuntu 24.04 LTS
frr 8.4.4-1.1ubuntu6.3
Ubuntu 22.04 LTS
frr 8.1-1ubuntu1.13
Ubuntu 20.04 LTS
frr 7.2.1-1ubuntu0.2+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7230-2
https://ubuntu.com/security/notices/USN-7230-1
CVE-2024-44070, CVE-2024-55553
Package Information:
https://launchpad.net/ubuntu/+source/frr/10.0.1-0.1ubuntu3
https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu6.3
https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.13
[USN-7230-1] Quagga vulnerability
==========================================================================
Ubuntu Security Notice USN-7230-1
January 27, 2025
quagga vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Quagga could be made to crash if it received specially crafted network traffic.
Software Description:
- quagga: BGP/OSPF/RIP routing daemon
Details:
Iggy Frankovic discovered that Quagga incorrectly handled certain BGP
messages. A remote attacker could possibly use this issue to cause Quagga
to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
quagga 1.2.4-1ubuntu0.1~esm2
Available with Ubuntu Pro
quagga-bgpd 1.2.4-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7230-1
CVE-2024-44070
[USN-7179-4] Linux kernel (Xilinx ZynqMP) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7179-4
January 27, 2025
linux-xilinx-zynqmp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors
Details:
Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux
kernel contained a type-confusion error. A physically proximate remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-12351)
Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux
kernel did not properly initialize memory in some situations. A physically
proximate remote attacker could use this to expose sensitive information
(kernel memory). (CVE-2020-12352)
Andy Nguyen discovered that the Bluetooth HCI event packet parser in the
Linux kernel did not properly handle event advertisements of certain sizes,
leading to a heap-based buffer overflow. A physically proximate remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2020-24490)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- Media drivers;
- Network drivers;
- SMB network file system;
- Bluetooth subsystem;
- Amateur Radio drivers;
- Network traffic control;
- VMware vSockets driver;
(CVE-2024-43904, CVE-2024-35963, CVE-2024-35967, CVE-2024-40973,
CVE-2024-26822, CVE-2024-35965, CVE-2024-40910, CVE-2024-38553,
CVE-2024-53057, CVE-2024-50264, CVE-2024-35966)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1041-xilinx-zynqmp 5.15.0-1041.45
linux-image-xilinx-zynqmp 5.15.0.1041.45
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7179-4
https://ubuntu.com/security/notices/USN-7179-3
https://ubuntu.com/security/notices/USN-7179-2
https://ubuntu.com/security/notices/USN-7179-1
CVE-2020-12351, CVE-2020-12352, CVE-2020-24490, CVE-2024-26822,
CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967,
CVE-2024-38553, CVE-2024-40910, CVE-2024-40973, CVE-2024-43904,
CVE-2024-50264, CVE-2024-53057
Package Information:
https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1041.45
[USN-7229-1] ClamAV vulnerability
==========================================================================
Ubuntu Security Notice USN-7229-1
January 27, 2025
clamav vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
Summary:
ClamAV could be made to crash if it opened a specially crafted file.
Software Description:
- clamav: Anti-virus utility for Unix
Details:
It was discovered that ClamAV incorrectly handled decrypting OLE2 content.
A remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
clamav 1.4.2+dfsg-0ubuntu0.24.10.1
Ubuntu 24.04 LTS
clamav 1.0.8+dfsg-0ubuntu0.24.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-7229-1
CVE-2025-20128
Package Information:
https://launchpad.net/ubuntu/+source/clamav/1.4.2+dfsg-0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/clamav/1.0.8+dfsg-0ubuntu0.24.04.1
[USN-7228-1] LibreOffice vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7228-1
January 27, 2025
libreoffice vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in LibreOffice.
Software Description:
- libreoffice: Office productivity suite
Details:
Thomas Rinsma discovered that LibreOffice incorrectly handled paths when
processing embedded font files. If a user or automated system were tricked
into opening a specially crafted LibreOffice file, a remote attacker could
possibly use this issue to create arbitrary files ending with ".ttf".
(CVE-2024-12425)
Thomas Rinsma discovered that LibreOffice incorrectly handled certain
environment variables and INI file values. If a user or automated system
were tricked into opening a specially crafted LibreOffice file, a remote
attacker could possibly use this issue to exfiltrate sensitive information.
(CVE-2024-12426)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libreoffice 4:24.8.4-0ubuntu0.24.10.2
Ubuntu 24.04 LTS
libreoffice 4:24.2.7-0ubuntu0.24.04.2
Ubuntu 22.04 LTS
libreoffice 1:7.3.7-0ubuntu0.22.04.8
Ubuntu 20.04 LTS
libreoffice 1:6.4.7-0ubuntu0.20.04.13
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7228-1
CVE-2024-12425, CVE-2024-12426
Package Information:
https://launchpad.net/ubuntu/+source/libreoffice/4:24.8.4-0ubuntu0.24.10.2
https://launchpad.net/ubuntu/+source/libreoffice/4:24.2.7-0ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/libreoffice/1:7.3.7-0ubuntu0.22.04.8
https://launchpad.net/ubuntu/+source/libreoffice/1:6.4.7-0ubuntu0.20.04.13
