[USN-7256-1] Ruby vulnerabilities
[USN-7257-1] Kerberos vulnerability
[USN-7256-1] Ruby vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7256-1
February 06, 2025
ruby2.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.7: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.16
ruby2.7 2.7.0-5ubuntu1.16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7256-1
CVE-2024-39908, CVE-2024-43398
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.16
[USN-7257-1] Kerberos vulnerability
==========================================================================
Ubuntu Security Notice USN-7257-1
February 05, 2025
krb5 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
A system authentication measure could be bypassed.
Software Description:
- krb5: MIT Kerberos Network Authentication Protocol
Details:
Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc
Stevens, and Adam Suhl discovered that Kerberos incorrectly authenticated
certain responses. An attacker able to intercept communications between a
RADIUS client and server could possibly use this issue to forge responses,
bypass authentication, and access network devices and services.
This update introduces support for the Message-Authenticator attribute in
non-EAP authentication methods for communications between Kerberos and a
RADIUS server.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libk5crypto3 1.21.3-3ubuntu0.1
libkrad0 1.21.3-3ubuntu0.1
Ubuntu 24.04 LTS
libk5crypto3 1.20.1-6ubuntu2.3
libkrad0 1.20.1-6ubuntu2.3
Ubuntu 22.04 LTS
libk5crypto3 1.19.2-2ubuntu0.5
libkrad0 1.19.2-2ubuntu0.5
Ubuntu 20.04 LTS
libk5crypto3 1.17-6ubuntu4.8
libkrad0 1.17-6ubuntu4.8
Ubuntu 18.04 LTS
libk5crypto3 1.16-2ubuntu0.4+esm3
Available with Ubuntu Pro
libkrad0 1.16-2ubuntu0.4+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libk5crypto3 1.13.2+dfsg-5ubuntu2.2+esm6
Available with Ubuntu Pro
libkrad0 1.13.2+dfsg-5ubuntu2.2+esm6
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libk5crypto3 1.12+dfsg-2ubuntu5.4+esm6
Available with Ubuntu Pro
libkrad0 1.12+dfsg-2ubuntu5.4+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7257-1
CVE-2024-3596
Package Information:
https://launchpad.net/ubuntu/+source/krb5/1.21.3-3ubuntu0.1
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.3
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.5
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.8
