Ubuntu 6533 Published by

The following updates are available for Ubuntu Linux:

[USN-6768-1] GLib vulnerability
[USN-6769-1] Spreadsheet::ParseXLSX vulnerabilities
[USN-6770-1] Fossil regression




[USN-6768-1] GLib vulnerability


==========================================================================
Ubuntu Security Notice USN-6768-1
May 09, 2024

glib2.0 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

GLib could be made to accept spoofed D-Bus signals.

Software Description:
- glib2.0: GLib library of C routines

Details:

Alicia Boya García discovered that GLib incorrectly handled signal
subscriptions. A local attacker could use this issue to spoof D-Bus signals
resulting in a variety of impacts including possible privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libglib2.0-0t64 2.80.0-6ubuntu3.1
libglib2.0-bin 2.80.0-6ubuntu3.1

Ubuntu 23.10
libglib2.0-0 2.78.0-2ubuntu0.1
libglib2.0-bin 2.78.0-2ubuntu0.1

Ubuntu 22.04 LTS
libglib2.0-0 2.72.4-0ubuntu2.3
libglib2.0-bin 2.72.4-0ubuntu2.3

Ubuntu 20.04 LTS
libglib2.0-0 2.64.6-1~ubuntu20.04.7
libglib2.0-bin 2.64.6-1~ubuntu20.04.7

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6768-1
CVE-2024-34397

Package Information:
https://launchpad.net/ubuntu/+source/glib2.0/2.80.0-6ubuntu3.1
https://launchpad.net/ubuntu/+source/glib2.0/2.78.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/glib2.0/2.72.4-0ubuntu2.3
https://launchpad.net/ubuntu/+source/glib2.0/2.64.6-1~ubuntu20.04.7



[USN-6769-1] Spreadsheet::ParseXLSX vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6769-1
May 09, 2024

libspreadsheet-parsexlsx-perl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libspreadsheet-parsexlsx-perl.

Software Description:
- libspreadsheet-parsexlsx-perl: Perl module to parse XLSX files

Details:

Le Dinh Hai discovered that Spreadsheet::ParseXLSX did not properly manage
memory during cell merge operations. An attacker could possibly use this
issue to consume large amounts of memory, resulting in a denial of service
condition. (CVE-2024-22368)

An Pham discovered that Spreadsheet::ParseXLSX allowed the processing of
external entities in a default configuration. An attacker could possibly
use this vulnerability to execute an XML External Entity (XXE) injection
attack. (CVE-2024-23525)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10
  libspreadsheet-parsexlsx-perl   0.27-3+deb12u2build0.23.10.1

Ubuntu 22.04 LTS
  libspreadsheet-parsexlsx-perl   0.27-2.1+deb11u2build0.22.04.1

Ubuntu 20.04 LTS
  libspreadsheet-parsexlsx-perl   0.27-2+deb10u1build0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6769-1
  CVE-2024-22368, CVE-2024-23525

Package Information:
https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-3+deb12u2build0.23.10.1
https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-2.1+deb11u2build0.22.04.1
https://launchpad.net/ubuntu/+source/libspreadsheet-parsexlsx-perl/0.27-2+deb10u1build0.20.04.1



[USN-6770-1] Fossil regression


==========================================================================
Ubuntu Security Notice USN-6770-1
May 09, 2024

fossil regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Fossil regression

Software Description:
- fossil: DSCM with built-in wiki, http interface and server, tickets datab

Details:

USN-6729-1 fixed vulnerabilities in Apache HTTP Server. The
update lead to the discovery of a regression in Fossil with
regards to the handling of POST requests that do not have a
Content-Length field set. This update fixes the problem.

We apologize for the inconvenience.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  fossil                          1:2.23-1ubuntu0.1

Ubuntu 23.10
  fossil                          1:2.22-1ubuntu0.1

Ubuntu 22.04 LTS
  fossil                          1:2.18-1ubuntu0.1

Ubuntu 20.04 LTS
  fossil                          1:2.10-1ubuntu0.1

Ubuntu 18.04 LTS
  fossil                          1:2.5-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  fossil                          1:1.33-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6770-1
  https://launchpad.net/bugs/2064509

Package Information:
  https://launchpad.net/ubuntu/+source/fossil/1:2.23-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/fossil/1:2.22-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/fossil/1:2.18-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/fossil/1:2.10-1ubuntu0.1