[USN-7205-1] Django vulnerability
[USN-7195-2] Linux kernel (Azure) vulnerabilities
[USN-7203-1] PowerDNS vulnerabilities
[USN-7198-1] rlottie vulnerabilities
[USN-7206-1] rsync vulnerabilities
[USN-7207-1] Git vulnerabilities
[USN-7205-1] Django vulnerability
==========================================================================
Ubuntu Security Notice USN-7205-1
January 14, 2025
python-django vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Django could be made to cause a denial of service if it received a
specially crafted IPv6 string.
Software Description:
- python-django: High-level Python web development framework
Details:
It was discovered that Django incorrectly handled certain IPv6
strings. An attacker could possibly use this issue to cause a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3-django 3:4.2.15-1ubuntu1.2
Ubuntu 24.04 LTS
python3-django 3:4.2.11-1ubuntu1.5
Ubuntu 22.04 LTS
python3-django 2:3.2.12-2ubuntu1.16
Ubuntu 20.04 LTS
python3-django 2:2.2.12-1ubuntu0.27
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7205-1
CVE-2024-56374
Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:4.2.15-1ubuntu1.2
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.5
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.16
https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.27
[USN-7195-2] Linux kernel (Azure) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7195-2
January 14, 2025
linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM32 architecture;
- ARM64 architecture;
- S390 architecture;
- x86 architecture;
- Power management core;
- GPU drivers;
- InfiniBand drivers;
- Network drivers;
- S/390 drivers;
- SCSI subsystem;
- TTY drivers;
- BTRFS file system;
- Ext4 file system;
- EROFS file system;
- F2FS file system;
- File systems infrastructure;
- BPF subsystem;
- Socket messages infrastructure;
- Bluetooth subsystem;
- Memory management;
- Amateur Radio drivers;
- Ethernet bridge;
- Networking core;
- IPv4 networking;
- Network traffic control;
- Sun RPC protocol;
- VMware vSockets driver;
- SELinux security module;
(CVE-2024-42240, CVE-2024-36938, CVE-2024-35967, CVE-2024-36953,
CVE-2022-48938, CVE-2024-38553, CVE-2024-35904, CVE-2024-35965,
CVE-2024-26947, CVE-2024-36968, CVE-2024-43892, CVE-2024-38597,
CVE-2023-52498, CVE-2021-47501, CVE-2024-44942, CVE-2024-42077,
CVE-2024-53057, CVE-2024-46724, CVE-2024-35963, CVE-2022-48943,
CVE-2024-42068, CVE-2024-42156, CVE-2022-48733, CVE-2023-52639,
CVE-2021-47101, CVE-2023-52821, CVE-2024-44940, CVE-2024-36952,
CVE-2021-47001, CVE-2024-38538, CVE-2024-40910, CVE-2021-47076,
CVE-2024-35966, CVE-2024-50264, CVE-2024-35951, CVE-2023-52488,
CVE-2023-52497, CVE-2024-49967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-5.4.0-1142-azure 5.4.0-1142.149~18.04.1
Available with Ubuntu Pro
linux-image-azure 5.4.0.1142.149~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7195-2
https://ubuntu.com/security/notices/USN-7195-1
CVE-2021-47001, CVE-2021-47076, CVE-2021-47101, CVE-2021-47501,
CVE-2022-38096, CVE-2022-48733, CVE-2022-48938, CVE-2022-48943,
CVE-2023-52488, CVE-2023-52497, CVE-2023-52498, CVE-2023-52639,
CVE-2023-52821, CVE-2024-26947, CVE-2024-35904, CVE-2024-35951,
CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967,
CVE-2024-36938, CVE-2024-36952, CVE-2024-36953, CVE-2024-36968,
CVE-2024-38538, CVE-2024-38553, CVE-2024-38597, CVE-2024-40910,
CVE-2024-42068, CVE-2024-42077, CVE-2024-42156, CVE-2024-42240,
CVE-2024-43892, CVE-2024-44940, CVE-2024-44942, CVE-2024-46724,
CVE-2024-49967, CVE-2024-50264, CVE-2024-53057
[USN-7203-1] PowerDNS vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7203-1
January 14, 2025
pdns, pdns-recursor vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PowerDNS.
Software Description:
- pdns: extremely powerful and versatile nameserver
- pdns-recursor: PowerDNS Recursor
Details:
Wei Hao discovered that PowerDNS Authoritative Server incorrectly handled
memory when accessing certain files. An attacker could possibly use this
issue to achieve arbitrary code execution. (CVE-2018-1046)
It was discovered that PowerDNS Authoritative Server and PowerDNS Recursor
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to cause denial of service. (CVE-2018-10851)
Kees Monshouwer discovered that PowerDNS Authoritative Server and PowerDNS
Recursor incorrectly handled request validation after having cached
malformed input. An attacker could possibly use this issue to cause denial
of service. (CVE-2018-14626)
Toshifumi Sakaguchi discovered that PowerDNS Recursor incorrectly handled
requests after having cached malformed input. An attacker could possibly
use this issue to cause denial of service. (CVE-2018-14644)
Nathaniel Ferguson discovered that PowerDNS Authoritative Server
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-17482)
Nicolas Dehaine and Dmitry Shabanov discovered that PowerDNS Authoritative
Server and PowerDNS Recursor incorrectly handled IXFR requests in certain
circumstances. An attacker could possibly use this issue to cause denial of
service. (CVE-2022-27227)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
pdns-recursor 4.6.0-1ubuntu1+esm1
Available with Ubuntu Pro
pdns-server 4.5.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-tools 4.5.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
pdns-recursor 4.2.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-server 4.2.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-tools 4.2.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
pdns-recursor 4.1.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-server 4.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-tools 4.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
pdns-recursor 4.0.0~alpha2-2ubuntu0.1+esm1
Available with Ubuntu Pro
pdns-server 4.0.0~alpha2-3ubuntu0.1~esm1
Available with Ubuntu Pro
pdns-tools 4.0.0~alpha2-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7203-1
CVE-2018-1046, CVE-2018-10851, CVE-2018-14626, CVE-2018-14644,
CVE-2020-17482, CVE-2022-27227
[USN-7198-1] rlottie vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7198-1
January 10, 2025
rlottie vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in rlottie.
Software Description:
- rlottie: library for rendering vector based animations and art
Details:
Paolo Giai discovered a series of stack-based overflow vulnerabilities in
the blit and gray_render_cubic functions of a custom fork of the rlottie
library. An attacker could possibly use this issue to leak sensitive
information. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. (CVE-2021-31315, CVE-2021-31321)
Paolo Giai discovered a series of type confusion vulnerabilities in the
VDasher constructor and the LOTCompLayerItem::LOTCompLayerItem function
of a custom fork of the rlottie library. An attacker could possibly use
this issue to leak sensitive information. This issue only affected Ubuntu
20.04 LTS. (CVE-2021-31317, CVE-2021-31318)
Paolo Giai discovered an integer overflow vulnerability in the
LOTGradient::populate function of a custom fork of the rlottie library.
An attacker could possibly use this issue to leak sensitive information.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-31319)
Paolo Giai discovered a series of heap buffer overflow vulnerabilities
in the VGradientCache::generateGradientColorTable and
LOTGradient::populate functions of a custom fork of the rlottie library.
[USN-7206-1] rsync vulnerabilities
=========================================================================
Ubuntu Security Notice USN-7206-1
January 14, 2025
Several security issues were fixed in rsync
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
rsync 3.2.7-1ubuntu1.1
Ubuntu 22.04 LTS
rsync 3.2.7-0ubuntu0.22.04.3
Ubuntu 20.04 LTS
rsync 3.1.3-8ubuntu0.8
Ubuntu 18.04 LTS
rsync 3.1.2-2.1ubuntu1.6+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
rsync 3.1.1-3ubuntu1.3+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
rsync 3.1.0-2ubuntu0.4+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7206-1
CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087,
CVE-2024-12088, CVE-2024-12747
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.2.7-1ubuntu1.1
https://launchpad.net/ubuntu/+source/rsync/3.2.7-0ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/rsync/3.1.3-8ubuntu0.8
[USN-7207-1] Git vulnerabilities
=========================================================================
Ubuntu Security Notice USN-7207-1
January 14, 2025
git vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Git.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
It was discovered that Git incorrectly handled certain URLs when
asking for credentials. An attacker could possibly use this
issue to mislead the user into typing passwords for trusted
sites that would then be sent to untrusted sites instead.
(CVE-2024-50349)
It was discovered that git incorrectly handled line endings when
using credential helpers. (CVE-2024-52006)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
git 1:2.45.2-1ubuntu1.1
Ubuntu 24.04 LTS
git 1:2.43.0-1ubuntu7.2
Ubuntu 22.04 LTS
git 1:2.34.1-1ubuntu1.12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7207-1
CVE-2024-50349, CVE-2024-52006
Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.45.2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/git/1:2.43.0-1ubuntu7.2
https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.12
