[USN-6755-1] GNU cpio vulnerabilities
[USN-6756-1] less vulnerability
[USN-6744-3] Pillow vulnerability
[USN-6729-3] Apache HTTP Server vulnerabilities
[USN-6737-2] GNU C Library vulnerability
[USN-6733-2] GnuTLS vulnerabilities
[USN-6734-2] libvirt vulnerabilities
[USN-6718-3] curl vulnerabilities
[USN-6759-1] FreeRDP vulnerabilities
[USN-6757-1] PHP vulnerabilities
[USN-6755-1] GNU cpio vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6755-1
April 29, 2024
cpio vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
GNU cpio could be made to write files outside the target directory.
Software Description:
- cpio: a tool to manage archives of files
Details:
Ingo Brückl discovered that cpio contained a path traversal vulnerability.
If a user or automated system were tricked into extracting a specially
crafted cpio archive, an attacker could possibly use this issue to write
arbitrary files outside the target directory on the host, even if using the
option --no-absolute-filenames.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10
cpio 2.13+dfsg-7.1ubuntu0.1
Ubuntu 22.04 LTS
cpio 2.13+dfsg-7ubuntu0.1
Ubuntu 20.04 LTS
cpio 2.13+dfsg-2ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6755-1
CVE-2023-7207
Package Information:
https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7.1ubuntu0.1
https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-7ubuntu0.1
https://launchpad.net/ubuntu/+source/cpio/2.13+dfsg-2ubuntu0.4
[USN-6756-1] less vulnerability
==========================================================================
Ubuntu Security Notice USN-6756-1
April 29, 2024
less vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
less could be made run programs as your login if it opened a specially
crafted file.
Software Description:
- less: pager program similar to more
Details:
It was discovered that less mishandled newline characters in file names. If
a user or automated system were tricked into opening specially crafted
files, an attacker could possibly use this issue to execute arbitrary
commands on the host.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
less 590-2ubuntu2.1
Ubuntu 23.10
less 590-2ubuntu0.23.10.2
Ubuntu 22.04 LTS
less 590-1ubuntu0.22.04.3
Ubuntu 20.04 LTS
less 551-1ubuntu0.3
Ubuntu 18.04 LTS
less 487-0.1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
less 481-2.1ubuntu0.2+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
less 458-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6756-1
CVE-2024-32487
Package Information:
https://launchpad.net/ubuntu/+source/less/590-2ubuntu2.1
https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.2
https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.3
[USN-6744-3] Pillow vulnerability
==========================================================================
Ubuntu Security Notice USN-6744-3
April 29, 2024
pillow vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Pillow could be made to crash or run programs as an administrator
if it opened a specially crafted file.
Software Description:
- pillow: Python Imaging Library
Details:
USN-6744-1 fixed a vulnerability in Pillow. This update
provides the corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Hugo van Kemenade discovered that Pillow was not properly performing
bounds checks when processing an ICC file, which could lead to a buffer
overflow. If a user or automated system were tricked into processing a
specially crafted ICC file, an attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-pil 10.2.0-1ubuntu1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6744-3
https://ubuntu.com/security/notices/USN-6744-1
CVE-2024-28219
Package Information:
https://launchpad.net/ubuntu/+source/pillow/10.2.0-1ubuntu1
[USN-6729-3] Apache HTTP Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6729-3
April 29, 2024
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-6729-1 fixed vulnerabilities in Apache HTTP Server. This update
provides the corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)
Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)
Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
apache2 2.4.58-1ubuntu8.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6729-3
https://ubuntu.com/security/notices/USN-6729-1
CVE-2023-38709, CVE-2024-24795, CVE-2024-27316
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.1
[USN-6737-2] GNU C Library vulnerability
==========================================================================
Ubuntu Security Notice USN-6737-2
April 29, 2024
glibc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
GNU C Library could be made to crash or run programs if it processed
specially crafted data.
Software Description:
- glibc: GNU C Library
Details:
USN-6737-1 fixed a vulnerability in the GNU C Library. This update provides
the corresponding update for Ubuntu 24.04 LTS.
Original advisory details:
Charles Fol discovered that the GNU C Library iconv feature incorrectly
handled certain input sequences. An attacker could use this issue to cause
the GNU C Library to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libc6 2.39-0ubuntu8.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6737-2
https://ubuntu.com/security/notices/USN-6737-1
CVE-2024-2961
Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.1
[USN-6733-2] GnuTLS vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6733-2
April 29, 2024
gnutls28 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in GnuTLS.
Software Description:
- gnutls28: GNU TLS library
Details:
USN-6733-1 fixed vulnerabilities in GnuTLS. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that GnuTLS had a timing side-channel when performing
certain ECDSA operations. A remote attacker could possibly use this issue
to recover sensitive information. (CVE-2024-28834)
It was discovered that GnuTLS incorrectly handled verifying certain PEM
bundles. A remote attacker could possibly use this issue to cause GnuTLS to
crash, resulting in a denial of service. This issue only affected Ubuntu
22.04 LTS and Ubuntu 23.10. (CVE-2024-28835)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libgnutls30t64 3.8.3-1.1ubuntu3.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6733-2
https://ubuntu.com/security/notices/USN-6733-1
CVE-2024-28834, CVE-2024-28835
Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.8.3-1.1ubuntu3.1
[USN-6734-2] libvirt vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6734-2
April 29, 2024
libvirt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in libvirt.
Software Description:
- libvirt: Libvirt virtualization toolkit
Details:
USN-6734-1 fixed vulnerabilities in libvirt. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Alexander Kuznetsov discovered that libvirt incorrectly handled certain API
calls. An attacker could possibly use this issue to cause libvirt to crash,
resulting in a denial of service. (CVE-2024-1441)
It was discovered that libvirt incorrectly handled certain RPC library API
calls. An attacker could possibly use this issue to cause libvirt to crash,
resulting in a denial of service. (CVE-2024-2494)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libvirt-daemon 10.0.0-2ubuntu8.1
libvirt-daemon-system 10.0.0-2ubuntu8.1
libvirt0 10.0.0-2ubuntu8.1
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6734-2
https://ubuntu.com/security/notices/USN-6734-1
CVE-2024-1441, CVE-2024-2494
Package Information:
https://launchpad.net/ubuntu/+source/libvirt/10.0.0-2ubuntu8.1
[USN-6718-3] curl vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6718-3
April 29, 2024
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-6718-1 fixed vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
Dan Fandrich discovered that curl would incorrectly use the default set of
protocols when a parameter option disabled all protocols without adding
any, contrary to expectations. This issue only affected Ubuntu 23.10.
(CVE-2024-2004)
It was discovered that curl incorrectly handled memory when limiting the
amount of headers when HTTP/2 server push is allowed. A remote attacker
could possibly use this issue to cause curl to consume resources, leading
to a denial of service. (CVE-2024-2398)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.1
libcurl3t64-gnutls 8.5.0-2ubuntu10.1
libcurl4t64 8.5.0-2ubuntu10.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6718-3
https://ubuntu.com/security/notices/USN-6718-1
CVE-2024-2004, CVE-2024-2398
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.1
[USN-6759-1] FreeRDP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6759-1
April 29, 2024
freerdp3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in FreeRDP.
Software Description:
- freerdp3: RDP client for Windows Terminal Services
Details:
It was discovered that FreeRDP incorrectly handled certain memory
operations. If a user were tricked into connecting to a malicious server, a
remote attacker could possibly use this issue to cause FreeRDP to crash,
resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libfreerdp3-3 3.5.1+dfsg1-0ubuntu1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6759-1
CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661,
CVE-2024-32662
Package Information:
https://launchpad.net/ubuntu/+source/freerdp3/3.5.1+dfsg1-0ubuntu1
[USN-6757-1] PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6757-1
April 29, 2024
php7.0, php7.2, php7.4, php8.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-4900)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to cookie by pass.
(CVE-2024-2756)
It was discovered that PHP incorrectly handled some passwords.
An attacker could possibly use this issue to cause an account takeover
attack. (CVE-2024-3096)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libapache2-mod-php8.1 8.1.2-1ubuntu2.16
php8.1 8.1.2-1ubuntu2.16
php8.1-cgi 8.1.2-1ubuntu2.16
php8.1-cli 8.1.2-1ubuntu2.16
php8.1-fpm 8.1.2-1ubuntu2.16
php8.1-xml 8.1.2-1ubuntu2.16
Ubuntu 20.04 LTS
libapache2-mod-php7.4 7.4.3-4ubuntu2.21
php7.4 7.4.3-4ubuntu2.21
php7.4-cgi 7.4.3-4ubuntu2.21
php7.4-cli 7.4.3-4ubuntu2.21
php7.4-fpm 7.4.3-4ubuntu2.21
php7.4-xml 7.4.3-4ubuntu2.21
Ubuntu 18.04 LTS
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
php7.2-xml 7.2.24-0ubuntu0.18.04.17+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
php7.0-xml 7.0.33-0ubuntu0.16.04.16+esm9
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6757-1
CVE-2022-4900, CVE-2024-2756, CVE-2024-3096
Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.16
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.21
