[USN-7108-1] AsyncSSH vulnerabilities
[USN-7113-1] WebKitGTK vulnerabilities
[USN-7114-1] GLib vulnerability
[USN-7104-1] curl vulnerability
[USN-7108-1] AsyncSSH vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7108-1
November 18, 2024
python-asyncssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several issues were fixed in AsyncSSH.
Software Description:
- python-asyncssh: asyncio-based client and server implementation of SSHv2
protocol
Details:
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSH
did not properly handle the extension info message. An attacker able to
intercept communications could possibly use this issue to downgrade
the algorithm used for client authentication. (CVE-2023-46445)
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that AsyncSSH
did not properly handle the user authentication request message. An
attacker could possibly use this issue to control the remote end of an SSH
client session via packet injection/removal and shell emulation.
(CVE-2023-46446)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-asyncssh 2.10.1-2ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-asyncssh 2.5.0-1ubuntu0.1
Ubuntu 20.04 LTS
python3-asyncssh 1.12.2-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7108-1
CVE-2023-46445, CVE-2023-46446
Package Information:
https://launchpad.net/ubuntu/+source/python-asyncssh/2.5.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-asyncssh/1.12.2-1ubuntu0.2
[USN-7113-1] WebKitGTK vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7113-1
November 18, 2024
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.24.10.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.24.10.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.24.10.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.24.10.1
Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.46.3-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.46.3-0ubuntu0.22.04.1
libjavascriptcoregtk-6.0-1 2.46.3-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.46.3-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.46.3-0ubuntu0.22.04.1
libwebkitgtk-6.0-4 2.46.3-0ubuntu0.22.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7113-1
CVE-2024-44244, CVE-2024-44296
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.3-0ubuntu0.22.04.1
[USN-7114-1] GLib vulnerability
==========================================================================
Ubuntu Security Notice USN-7114-1
November 18, 2024
glib2.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
GLib could be made to crash or other undefined behavior
if it received a specially crafted input.
Software Description:
- glib2.0: GLib library of C routines
Details:
It was discovered that Glib incorrectly handled certain trailing
characters. An attacker could possibly use this issue to cause
a crash or other undefined behavior.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libglib2.0-0t64 2.80.0-6ubuntu3.2
libglib2.0-bin 2.80.0-6ubuntu3.2
Ubuntu 22.04 LTS
libglib2.0-0 2.72.4-0ubuntu2.4
libglib2.0-bin 2.72.4-0ubuntu2.4
Ubuntu 20.04 LTS
libglib2.0-0 2.64.6-1~ubuntu20.04.8
libglib2.0-bin 2.64.6-1~ubuntu20.04.8
Ubuntu 18.04 LTS
libglib2.0-0 2.56.4-0ubuntu0.18.04.9+esm4
Available with Ubuntu Pro
libglib2.0-bin 2.56.4-0ubuntu0.18.04.9+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libglib2.0-0 2.48.2-0ubuntu4.8+esm4
Available with Ubuntu Pro
libglib2.0-bin 2.48.2-0ubuntu4.8+esm4
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7114-1
CVE-2024-52533
Package Information:
https://launchpad.net/ubuntu/+source/glib2.0/2.80.0-6ubuntu3.2
https://launchpad.net/ubuntu/+source/glib2.0/2.72.4-0ubuntu2.4
https://launchpad.net/ubuntu/+source/glib2.0/2.64.6-1~ubuntu20.04.8
[USN-7104-1] curl vulnerability
==========================================================================
Ubuntu Security Notice USN-7104-1
November 18, 2024
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
It was discovered that curl could overwrite the HSTS expiry of the parent
domain with the subdomain's HSTS entry. This could lead to curl switching
back to insecure HTTP earlier than otherwise intended, resulting in
information exposure.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
curl 8.9.1-2ubuntu2.1
libcurl3t64-gnutls 8.9.1-2ubuntu2.1
libcurl4t64 8.9.1-2ubuntu2.1
Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.5
libcurl3t64-gnutls 8.5.0-2ubuntu10.5
libcurl4t64 8.5.0-2ubuntu10.5
Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.19
libcurl3-gnutls 7.81.0-1ubuntu1.19
libcurl3-nss 7.81.0-1ubuntu1.19
libcurl4 7.81.0-1ubuntu1.19
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7104-1
CVE-2024-9681
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.9.1-2ubuntu2.1
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.5
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.19
