Ubuntu 6603 Published by

Ubuntu Linux has received updates that address various security issues, including a needrestart regression, TinyGLTF, Pygments, libsoup, libsoup3, and a vulnerability in twisted:

[USN-7117-2] needrestart regression
[USN-7129-1] TinyGLTF vulnerability
[USN-7128-1] Pygments vulnerability
[USN-7126-1] libsoup vulnerabilities
[USN-7127-1] libsoup3 vulnerabilities
[USN-6988-2] Twisted vulnerability




[USN-7117-2] needrestart regression


==========================================================================
Ubuntu Security Notice USN-7117-2
November 26, 2024

needrestart regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-7117-1 caused some regression in needrestart.

Software Description:
- needrestart: check which daemons need to be restarted after library
upgrades

Details:

USN-7117-1 fixed vulnerabilities in needrestart. The update introduced a
regression in needrestart. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)

Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)

Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)

Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)

Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
needrestart 3.6-8ubuntu4.3

Ubuntu 24.04 LTS
needrestart 3.6-7ubuntu4.4

Ubuntu 22.04 LTS
needrestart 3.5-5ubuntu2.3

Ubuntu 20.04 LTS
needrestart 3.4-6ubuntu0.1+esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
needrestart 3.1-1ubuntu0.1+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
needrestart 2.6-1ubuntu0.1~esm2
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7117-2
https://ubuntu.com/security/notices/USN-7117-1
https://launchpad.net/bugs/2089193

Package Information:
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.3
https://launchpad.net/ubuntu/+source/needrestart/3.6-7ubuntu4.4
https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.3



[USN-7129-1] TinyGLTF vulnerability


==========================================================================
Ubuntu Security Notice USN-7129-1
November 26, 2024

TinyGLTF vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

TinyGLTF could be made to crash or run programs as your login if it
received specially crafted input.

Software Description:
- tinygltf: glTF loader and saver library

Details:

It was discovered that TinyGLTF performed file path expansion in an
insecure way on certain inputs. An attacker could possibly use this
issue to cause a denial of service, or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
libtinygltf-dev 2.5.0+dfsg-4ubuntu0.1
libtinygltf1d 2.5.0+dfsg-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7129-1
CVE-2022-3008

Package Information:
https://launchpad.net/ubuntu/+source/tinygltf/2.5.0+dfsg-4ubuntu0.1



[USN-7128-1] Pygments vulnerability


==========================================================================
Ubuntu Security Notice USN-7128-1
November 26, 2024

pygments vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Pygments could be made to crash if it received specially crafted input.

Software Description:
- pygments: Generic syntax highlighter

Details:

Sebastian Chnelik discovered that Pygments had an inefficient regex query
for analyzing certain inputs. An attacker could possibly use this issue to
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  python3-pygments                2.11.2+dfsg-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7128-1
  CVE-2022-40896

Package Information:
https://launchpad.net/ubuntu/+source/pygments/2.11.2+dfsg-2ubuntu0.1



[USN-7126-1] libsoup vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7126-1
November 27, 2024

libsoup2.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in libsoup.

Software Description:
- libsoup2.4: HTTP client/server library for GNOME

Details:

It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. (CVE-2024-52530)

It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)

It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  libsoup-2.4-1                   2.74.3-7ubuntu0.1

Ubuntu 24.04 LTS
  libsoup-2.4-1                   2.74.3-6ubuntu1.1

Ubuntu 22.04 LTS
  libsoup2.4-1                    2.74.2-3ubuntu0.1

Ubuntu 20.04 LTS
  libsoup2.4-1                    2.70.0-1ubuntu0.1

Ubuntu 18.04 LTS
  libsoup2.4-1                    2.62.1-1ubuntu0.4+esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7126-1
  CVE-2024-52530, CVE-2024-52531, CVE-2024-52532

Package Information:
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-7ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-6ubuntu1.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.70.0-1ubuntu0.1



[USN-7127-1] libsoup3 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7127-1
November 27, 2024

libsoup3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in libsoup3.

Software Description:
- libsoup3: GObject introspection data for the libsoup HTTP library

Details:

It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. This issue only affected Ubuntu 22.04 LTS
and Ubuntu 24.04 LTS. (CVE-2024-52530)

It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)

It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  libsoup-3.0-0                   3.6.0-2ubuntu0.1

Ubuntu 24.04 LTS
  libsoup-3.0-0                   3.4.4-5ubuntu0.1

Ubuntu 22.04 LTS
  libsoup-3.0-0                   3.0.7-0ubuntu1+esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7127-1
  CVE-2024-52530, CVE-2024-52531, CVE-2024-52532

Package Information:
  https://launchpad.net/ubuntu/+source/libsoup3/3.6.0-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/libsoup3/3.4.4-5ubuntu0.1



[USN-6988-2] Twisted vulnerability


==========================================================================
Ubuntu Security Notice USN-6988-2
November 26, 2024

twisted vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Twisted could allow unintended access to information over the network.

Software Description:
- twisted: Event-based framework for internet applications

Details:

USN-6988-1 fixed CVE-2024-41671 in Twisted. The USN incorrectly stated that
previous releases were unaffected. This update provides the equivalent fix
for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS.

Original advisory details:

 Ben Kallus discovered that Twisted incorrectly handled response order when
 processing multiple HTTP requests. A remote attacker could possibly use
 this issue to delay and manipulate responses.
 This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  python3-twisted                 22.1.0-2ubuntu2.6

Ubuntu 20.04 LTS
  python3-twisted                 18.9.0-11ubuntu0.20.04.5

Ubuntu 18.04 LTS
  python-twisted                  17.9.0-2ubuntu0.3+esm2
                                  Available with Ubuntu Pro
  python3-twisted                 17.9.0-2ubuntu0.3+esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6988-2
  https://ubuntu.com/security/notices/USN-6988-1
  CVE-2024-41671

Package Information:
  https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.6
https://launchpad.net/ubuntu/+source/twisted/18.9.0-11ubuntu0.20.04.5