[USN-7330-1] Ansible vulnerabilities
[USN-7334-1] Firefox vulnerabilities
[USN-7330-1] Ansible vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7330-1
March 05, 2025
ansible vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ansible.
Software Description:
- ansible: Configuration management, deployment, and task execution system
Details:
It was discovered that Ansible did not properly verify certain fields of
X.509 certificates. An attacker could possibly use this issue to spoof
SSL servers if they were able to intercept network communications. This
issue only affected Ubuntu 14.04 LTS. (CVE-2015-3908)
Martin Carpenter discovered that certain connection plugins for Ansible
did not properly restrict users. An attacker with local access could
possibly use this issue to escape a restricted environment via symbolic
links misuse. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-6240)
Robin Schneider discovered that Ansible's apt_key module did not properly
verify key fingerprints. A remote attacker could possibly use this issue
to perform key injection, leading to the access of sensitive information.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-8614)
It was discovered that Ansible would expose passwords in certain
instances. An attacker could possibly use specially crafted input related
to this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-10206)
It was discovered that Ansible incorrectly logged sensitive information.
An attacker with local access could possibly use this issue to access
sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, and Ubuntu 18.04 LTS. (CVE-2019-14846)
It was discovered that Ansible's solaris_zone module accepted input without
performing input checking. A remote attacker could possibly use this issue
to enable the execution of arbitrary code. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-14904)
It was discovered that Ansible did not generate sufficiently random values,
which could lead to the exposure of passwords. An attacker could possibly
use this issue to access sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10729)
It was discovered that Ansible's svn module could disclose passwords to
users within the same node. An attacker could possibly use this issue to
access sensitive information. (CVE-2020-1739)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
ansible 2.9.6+dfsg-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ansible 2.5.1+dfsg-1ubuntu0.1+esm5
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ansible 2.0.0.2-2ubuntu1.3+esm5
Available with Ubuntu Pro
ansible-fireball 2.0.0.2-2ubuntu1.3+esm5
Available with Ubuntu Pro
ansible-node-fireball 2.0.0.2-2ubuntu1.3+esm5
Available with Ubuntu Pro
Ubuntu 14.04 LTS
ansible 1.5.4+dfsg-1ubuntu0.1~esm3
Available with Ubuntu Pro
ansible-fireball 1.5.4+dfsg-1ubuntu0.1~esm3
Available with Ubuntu Pro
ansible-node-fireball 1.5.4+dfsg-1ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7330-1
CVE-2015-3908, CVE-2015-6240, CVE-2016-8614, CVE-2019-10206,
CVE-2019-14846, CVE-2019-14904, CVE-2020-10729, CVE-2020-1739
[USN-7334-1] Firefox vulnerabilities
=========================================================================
Ubuntu Security Notice USN-7334-1
March 06, 2025
firefox vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2025-1933,
CVE-2025-1934, CVE-2025-1935, CVE-2025-1936, CVE-2025-1937, CVE-2025-1942)
It was discovered that Firefox did not properly handle WebTransport
connection, leading to a use-after-free vulnerability. An attacker could
potentially exploit this issue to cause a denial of service.
(CVE-2025-1931)
Ivan Fratric discovered that Firefox did not properly handle XSLT sorting,
leading to a out-of-bounds access vulnerability. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2025-1932)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
firefox 136.0+build3-0ubuntu0.20.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes
References:
https://ubuntu.com/security/notices/USN-7334-1
CVE-2025-1931, CVE-2025-1932, CVE-2025-1933, CVE-2025-1934,
CVE-2025-1935, CVE-2025-1936, CVE-2025-1937, CVE-2025-1942
Package Information:
https://launchpad.net/ubuntu/+source/firefox/136.0+build3-0ubuntu0.20.04.1
