Three Ubuntu Security Notices (USNs) were released to address vulnerabilities in various packages. The first USN (USN-7762-1) fixes multiple security issues in the pip package installer, including exposure of sensitive information due to incorrect handling of proxy headers and URLs. The second USN (USN-7763-1) addresses a vulnerability in RabbitMQ Server that allows local attackers to obtain sensitive information by logging authorization headers. The third USN (USN-7759-1) fixes a denial-of-service vulnerability in the Kea DHCP package, which can be exploited by sending specially crafted network traffic.

[USN-7762-1] pip vulnerabilities
[USN-7763-1] RabbitMQ Server vulnerability
[USN-7759-1] Kea DHCP vulnerabilities

[USN-7762-1] pip vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7762-1
September 23, 2025

python-pip vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in pip.

Software Description:
- python-pip: Python package installer

Details:

Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly
leaked Proxy-Authorization headers. A remote attacker could possibly use
this issue to obtain sensitive information. This update addresses the issue
in the Requests module bundled into pip in Ubuntu 22.04 LTS.
(CVE-2023-32681)

It was discovered that urllib3 didn't strip HTTP body on status code
303 redirects under certain circumstances. A remote attacker could
possibly use this issue to obtain sensitive information. This update
addresses the issue in the urllib3 module bundled into pip in Ubuntu
24.04 LTS. (CVE-2023-45803)

Guido Vranken discovered that idna did not properly manage certain inputs,
which could lead to significant resource consumption. An attacker could
possibly use this issue to cause a denial of service. This update addresses
the issue in the idna module bundled into pip in Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2024-3651)

Juho Forsén discovered that Requests did not correctly parse URLs. A
remote attacker could possibly use this issue to leak sensitive
information. This update addresses the issue in the Requests module bundled
into pip in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2024-47081)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
python3-pip 25.0+dfsg-1ubuntu0.2
python3-pip-whl 25.0+dfsg-1ubuntu0.2

Ubuntu 24.04 LTS
python3-pip 24.0+dfsg-1ubuntu1.3
python3-pip-whl 24.0+dfsg-1ubuntu1.3

Ubuntu 22.04 LTS
python3-pip 22.0.2+dfsg-1ubuntu0.7
python3-pip-whl 22.0.2+dfsg-1ubuntu0.7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7762-1
CVE-2023-32681, CVE-2023-45803, CVE-2024-3651, CVE-2024-47081,
https://launchpad.net/bugs/2031880

Package Information:
https://launchpad.net/ubuntu/+source/python-pip/25.0+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/24.0+dfsg-1ubuntu1.3
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.7

[USN-7763-1] RabbitMQ Server vulnerability

==========================================================================
Ubuntu Security Notice USN-7763-1
September 23, 2025

rabbitmq-server vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04

Summary:

RabbitMQ Server could be made to expose sensitive information.

Software Description:
- rabbitmq-server: AMQP server written in Erlang

Details:

It was discovered that RabbitMQ Server incorrectly included authorization
headers when logging. A local attacker could possibly use this issue to
obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
rabbitmq-server 4.0.5-2ubuntu2.1

After a standard system update you need to restart RabbitMQ Server to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7763-1
CVE-2025-50200

Package Information:
https://launchpad.net/ubuntu/+source/rabbitmq-server/4.0.5-2ubuntu2.1

[USN-7759-1] Kea DHCP vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7759-1
September 21, 2025

isc-kea vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Kea DHCP could be made to crash if it received specially crafted network
traffic.

Software Description:
- isc-kea: Standards-based DHCP server

Details:

It was discovered that Kea DHCP did not correctly handle invalid hostnames.
A remote attacker could possibly use this issue to cause a denial of
service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
kea-admin 1.1.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-common 1.1.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp-ddns-server 1.1.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp4-server 1.1.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp6-server 1.1.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
kea-admin 1.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-common 1.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp-ddns-server 1.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp4-server 1.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
kea-dhcp6-server 1.0.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

After a standard system update you may need to restart Kea DHCP server
instances to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7759-1
CVE-2019-6473