[USN-7161-2] Docker vulnerabilities
[USN-7271-1] virtualenv vulnerability
[USN-7272-1] Symfony vulnerabilities
[USN-7270-1] OpenSSH vulnerabilities
[USN-7274-1] Atril vulnerabilities
[USN-7270-2] OpenSSH vulnerability
[USN-7275-1] Libtasn1 vulnerability
[USN-7161-2] Docker vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7161-2
February 18, 2025
Docker vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Docker.
Software Description:
- docker.io-app: Linux container runtime
- docker.io: Linux container runtime
Details:
USN-7161-1 fixed CVE-2024-29018 in Ubuntu 24.04 LTS. This update fixes it
in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
USN-7161-1 fixed CVE-2024-41110 in Ubuntu 24.10, Ubuntu 24.04 LTS, and
Ubuntu 18.04 LTS. This updates fixes it in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS.
Original advisory details:
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed in
Ubuntu 24.04 LTS. (CVE-2024-29018)
Cory Snider discovered that Docker did not properly handle authorization
plugin request processing. An attacker could possibly use this issue to
bypass authorization controls by forwarding API requests without their
full body, leading to unauthorized actions. (CVE-2024-41110)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
docker.io 26.1.3-0ubuntu1~22.04.1+esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
docker.io 26.1.3-0ubuntu1~20.04.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
docker.io 20.10.21-0ubuntu1~18.04.3+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
docker.io 18.09.7-0ubuntu1~16.04.9+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7161-2
https://ubuntu.com/security/notices/USN-7161-1
CVE-2024-29018, CVE-2024-41110
[USN-7271-1] virtualenv vulnerability
==========================================================================
Ubuntu Security Notice USN-7271-1
February 18, 2025
python-virtualenv vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
python-virtualenv could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- python-virtualenv: Python virtual environment creator
Details:
It was discovered that virtualenv incorrectly handled paths when activating
virtual environments. An attacker could possibly use this issue to execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
python3-virtualenv 20.13.0+ds-2ubuntu0.1~esm1
Available with Ubuntu Pro
virtualenv 20.13.0+ds-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python3-virtualenv 20.0.17-1ubuntu0.4+esm1
Available with Ubuntu Pro
virtualenv 20.0.17-1ubuntu0.4+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7271-1
CVE-2024-53899
[USN-7272-1] Symfony vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7272-1
February 18, 2025
symfony vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Symfony.
Software Description:
- symfony: set of reusable components and framework for web projects
Details:
Soner Sayakci discovered that Symfony incorrectly handled cookie storage in
the web cache. An attacker could possibly use this issue to obtain
sensitive information and access unauthorized resources. (CVE-2022-24894)
Marco Squarcina discovered that Symfony incorrectly handled the storage of
user session information. An attacker could possibly use this issue to
perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895)
Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An
attacker could possibly use this issue to perform cross site scripting.
(CVE-2023-46734)
Vladimir Dusheyko discovered that Symfony incorrectly sanitized special
input with a PHP directive in URL query strings. An attacker could possibly
use this issue to expose sensitive information or cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS.
(CVE-2024-50340)
Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony
incorrectly handled user authentication. An attacker could possibly use
this issue to access unauthorized resources and expose sensitive
information. This issue was only addressed in Ubuntu 24.04 LTS.
(CVE-2024-50341, CVE-2024-51996)
Linus Karlsson and Chris Smith discovered that Symfony returned internal
host information during host resolution. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342)
It was discovered that Symfony incorrectly parsed user input through
regular expressions. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-50343)
Sam Mush discovered that Symfony incorrectly parsed URIs with special
characters. An attacker could possibly use this issue to perform phishing
attacks. (CVE-2024-50345)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
php-symfony 6.4.5+dfsg-3ubuntu3+esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
php-symfony 5.4.4+dfsg-1ubuntu8+esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
php-symfony 4.3.8+dfsg-1ubuntu1+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7272-1
CVE-2022-24894, CVE-2022-24895, CVE-2023-46734, CVE-2024-50340,
CVE-2024-50341, CVE-2024-50342, CVE-2024-50343, CVE-2024-50345,
CVE-2024-51996
[USN-7270-1] OpenSSH vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7270-1
February 18, 2025
openssh vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in OpenSSH.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
It was discovered that the OpenSSH client incorrectly handled the
non-default VerifyHostKeyDNS option. If that option were enabled, an
attacker could possibly impersonate a server by completely bypassing the
server identity check. (CVE-2025-26465)
It was discovered that OpenSSH incorrectly handled the transport-level ping
facility. A remote attacker could possibly use this issue to cause OpenSSH
clients and servers to consume resources, leading to a denial of service.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2025-26466)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
openssh-client 1:9.7p1-7ubuntu4.2
openssh-server 1:9.7p1-7ubuntu4.2
Ubuntu 24.04 LTS
openssh-client 1:9.6p1-3ubuntu13.8
openssh-server 1:9.6p1-3ubuntu13.8
Ubuntu 22.04 LTS
openssh-client 1:8.9p1-3ubuntu0.11
openssh-server 1:8.9p1-3ubuntu0.11
Ubuntu 20.04 LTS
openssh-client 1:8.2p1-4ubuntu0.12
openssh-server 1:8.2p1-4ubuntu0.12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7270-1
CVE-2025-26465, CVE-2025-26466
Package Information:
https://launchpad.net/ubuntu/+source/openssh/1:9.7p1-7ubuntu4.2
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.8
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.11
https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.12
[USN-7274-1] Atril vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7274-1
February 18, 2025
atril vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Atril could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- atril: Official Document Viewer of the MATE Desktop Environment
Details:
It was discovered that Atril incorrectly handled certain PDF files.
An attacker could possibly use this issue to cause a denial of service
or to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2019-1010006)
Andy Nguyen discovered that Atril incorrectly handled certain images. An
attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 16.04 LTS. (CVE-2019-11459)
Febin Mon Saji discovered that Atril incorrectly handled certain
compressed files. A remote attacker could possibly use this issue to
cause a denial of service or to execute arbitrary code. (CVE-2023-51698)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
atril 1.26.0-1ubuntu1.2
atril-common 1.26.0-1ubuntu1.2
libatrildocument3 1.26.0-1ubuntu1.2
Ubuntu 20.04 LTS
atril 1.24.0-1ubuntu0.2
atril-common 1.24.0-1ubuntu0.2
libatrildocument3 1.24.0-1ubuntu0.2
Ubuntu 18.04 LTS
atril 1.20.1-2ubuntu2+esm2
Available with Ubuntu Pro
atril-common 1.20.1-2ubuntu2+esm2
Available with Ubuntu Pro
libatrildocument3 1.20.1-2ubuntu2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7274-1
CVE-2019-1010006, CVE-2019-11459, CVE-2023-51698
Package Information:
https://launchpad.net/ubuntu/+source/atril/1.26.0-1ubuntu1.2
https://launchpad.net/ubuntu/+source/atril/1.24.0-1ubuntu0.2
[USN-7270-2] OpenSSH vulnerability
==========================================================================
Ubuntu Security Notice USN-7270-2
February 18, 2025
openssh vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
OpenSSH could be made to bypass the server identity check.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
USN-7270-1 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that the OpenSSH client incorrectly handled the
non-default VerifyHostKeyDNS option. If that option were enabled, an
attacker could possibly impersonate a server by completely bypassing the
server identity check. (CVE-2025-26465)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
openssh-client 1:7.6p1-4ubuntu0.7+esm4
Available with Ubuntu Pro
openssh-server 1:7.6p1-4ubuntu0.7+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
openssh-client 1:7.2p2-4ubuntu2.10+esm7
Available with Ubuntu Pro
openssh-server 1:7.2p2-4ubuntu2.10+esm7
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7270-2
https://ubuntu.com/security/notices/USN-7270-1
CVE-2025-26465
[USN-7275-1] Libtasn1 vulnerability
==========================================================================
Ubuntu Security Notice USN-7275-1
February 18, 2025
libtasn1-6 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Libtasn1 could be made to crash if it received specially crafted network
traffic.
Software Description:
- libtasn1-6: Library to manage ASN.1 structures
Details:
Bing Shi discovered that Libtasn1 inefficiently handled certificates. An
attacker could possibly use this issue to increase resource utilization
leading to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libtasn1-6 4.19.0-3ubuntu0.24.10.1
libtasn1-bin 4.19.0-3ubuntu0.24.10.1
Ubuntu 22.04 LTS
libtasn1-6 4.18.0-4ubuntu0.1
libtasn1-bin 4.18.0-4ubuntu0.1
Ubuntu 20.04 LTS
libtasn1-6 4.16.0-2ubuntu0.1
libtasn1-bin 4.16.0-2ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7275-1
CVE-2024-12133
Package Information:
https://launchpad.net/ubuntu/+source/libtasn1-6/4.19.0-3ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/libtasn1-6/4.18.0-4ubuntu0.1
https://launchpad.net/ubuntu/+source/libtasn1-6/4.16.0-2ubuntu0.1
