Ubuntu 6586 Published by

The following updates have been released for Ubuntu Linux:

[USN-6970-1] exfatprogs vulnerability
[USN-6966-2] Firefox regressions
[USN-6944-2] curl vulnerability




[USN-6970-1] exfatprogs vulnerability


==========================================================================
Ubuntu Security Notice USN-6970-1
August 20, 2024

exfatprogs vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

exfatprogs could be made to crash or run programs if it handled a specially
crafted partition.

Software Description:
- exfatprogs: tools to create, check and label exFAT filesystems

Details:

It was discovered that exfatprogs incorrectly handled certain memory
operations. If a user or automated system were tricked into handling
specially crafted exfat partitions, a remote attacker could use this issue
to cause exfatprogs to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
exfatprogs 1.1.3-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6970-1
CVE-2023-45897

Package Information:
https://launchpad.net/ubuntu/+source/exfatprogs/1.1.3-1ubuntu0.1



[USN-6966-2] Firefox regressions


==========================================================================
Ubuntu Security Notice USN-6966-2
August 21, 2024

firefox regressions
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6966-1 caused some minor regressions in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-6966-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-7518,
CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,
CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)

It was discovered that Firefox did not properly manage certain memory
operations when processing graphics shared memory. An attacker could
potentially exploit this issue to escape the sandbox. (CVE-2024-7519)

Nan Wang discovered that Firefox did not properly handle type check in
WebAssembly. An attacker could potentially exploit this issue to execute
arbitrary code. (CVE-2024-7520)

Irvan Kurniawan discovered that Firefox did not properly check an
attribute value in the editor component, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-7522)

Rob Wu discovered that Firefox did not properly check permissions when
creating a StreamFilter. An attacker could possibly use this issue to
modify response body of requests on any site using a web extension.
(CVE-2024-7525)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
firefox 129.0.2+build1-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the
necessary changes

References:
https://ubuntu.com/security/notices/USN-6966-2
https://ubuntu.com/security/notices/USN-6966-1
https://launchpad.net/bugs/2077485

Package Information:
https://launchpad.net/ubuntu/+source/firefox/129.0.2+build1-0ubuntu0.20.04.1



[USN-6944-2] curl vulnerability


==========================================================================
Ubuntu Security Notice USN-6944-2
August 20, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

curl could be made to crash or expose information if it received specially
crafted network traffic.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

USN-6944-1 fixed CVE-2024-7264 for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 24.04 LTS. This update provides the corresponding fix for
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.

Original advisory details:

Dov Murik discovered that curl incorrectly handled parsing ASN.1
Generalized Time fields. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
curl 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl3-nss 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl4 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro

Ubuntu 16.04 LTS
curl 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3-nss 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro

Ubuntu 14.04 LTS
curl 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3-nss 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6944-2
https://ubuntu.com/security/notices/USN-6944-1
CVE-2024-7264