[USN-7145-1] Expat vulnerability
[USN-7149-1] Intel Microcode vulnerabilities
[USN-7148-1] Linux kernel vulnerabilities
[USN-7147-1] Apache Shiro vulnerabilities
[USN-7145-1] Expat vulnerability
==========================================================================
Ubuntu Security Notice USN-7145-1
December 10, 2024
expat vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- - Ubuntu 24.10
- - Ubuntu 24.04 LTS
- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS
Summary:
Expat could be made to crash if an unstarted parser was resumed.
Software Description:
- - expat: XML parsing C library
Details:
It was discovered that Expat did not properly handle its internal state
when attempting to resume an unstarted parser. An attacker could use this
issue to cause a denial of service (application crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
expat 2.6.2-2ubuntu0.1
libexpat1 2.6.2-2ubuntu0.1
libexpat1-dev 2.6.2-2ubuntu0.1
Ubuntu 24.04 LTS
expat 2.6.1-2ubuntu0.2
libexpat1 2.6.1-2ubuntu0.2
libexpat1-dev 2.6.1-2ubuntu0.2
Ubuntu 22.04 LTS
expat 2.4.7-1ubuntu0.5
libexpat1 2.4.7-1ubuntu0.5
libexpat1-dev 2.4.7-1ubuntu0.5
Ubuntu 20.04 LTS
expat 2.2.9-1ubuntu0.8
libexpat1 2.2.9-1ubuntu0.8
libexpat1-dev 2.2.9-1ubuntu0.8
Ubuntu 18.04 LTS
expat 2.2.5-3ubuntu0.9+esm2
Available with Ubuntu Pro
libexpat1 2.2.5-3ubuntu0.9+esm2
Available with Ubuntu Pro
libexpat1-dev 2.2.5-3ubuntu0.9+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
expat 2.1.0-7ubuntu0.16.04.5+esm10
Available with Ubuntu Pro
lib64expat1 2.1.0-7ubuntu0.16.04.5+esm10
Available with Ubuntu Pro
lib64expat1-dev 2.1.0-7ubuntu0.16.04.5+esm10
Available with Ubuntu Pro
libexpat1 2.1.0-7ubuntu0.16.04.5+esm10
Available with Ubuntu Pro
libexpat1-dev 2.1.0-7ubuntu0.16.04.5+esm10
Available with Ubuntu Pro
Ubuntu 14.04 LTS
expat 2.1.0-4ubuntu1.4+esm10
Available with Ubuntu Pro
lib64expat1 2.1.0-4ubuntu1.4+esm10
Available with Ubuntu Pro
lib64expat1-dev 2.1.0-4ubuntu1.4+esm10
Available with Ubuntu Pro
libexpat1 2.1.0-4ubuntu1.4+esm10
Available with Ubuntu Pro
libexpat1-dev 2.1.0-4ubuntu1.4+esm10
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7145-1
CVE-2024-50602
Package Information:
https://launchpad.net/ubuntu/+source/expat/2.6.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/expat/2.6.1-2ubuntu0.2
https://launchpad.net/ubuntu/+source/expat/2.4.7-1ubuntu0.5
https://launchpad.net/ubuntu/+source/expat/2.2.9-1ubuntu0.8
[USN-7149-1] Intel Microcode vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7149-1
December 11, 2024
intel-microcode vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Intel Microcode.
Software Description:
- intel-microcode: Processor microcode for Intel CPUs
Details:
Avraham Shalev and Nagaraju N Kodalapura discovered that some Intel(R)
Xeon(R) processors did not properly restrict access to the memory
controller when using Intel(R) SGX. This may allow a local privileged
attacker to further escalate their privileges. (CVE-2024-21820,
CVE-2024-23918)
It was discovered that some 4th and 5th Generation Intel(R) Xeon(R)
Processors did not properly implement finite state machines (FSMs) in
hardware logic. THis may allow a local privileged attacker to cause a
denial of service (system crash). (CVE-2024-21853)
It was discovered that some Intel(R) Processors did not properly restrict
access to the Running Average Power Limit (RAPL) interface. This may allow
a local privileged attacker to obtain sensitive information.
(CVE-2024-23984)
It was discovered that some Intel(R) Processors did not properly implement
finite state machines (FSMs) in hardware logic. This may allow a local
privileged attacker to cause a denial of service (system crash).
(CVE-2024-24968)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
intel-microcode 3.20241112.0ubuntu0.24.10.1
Ubuntu 24.04 LTS
intel-microcode 3.20241112.0ubuntu0.24.04.1
Ubuntu 22.04 LTS
intel-microcode 3.20241112.0ubuntu0.22.04.1
Ubuntu 20.04 LTS
intel-microcode 3.20241112.0ubuntu0.20.04.1
Ubuntu 18.04 LTS
intel-microcode 3.20241112.0ubuntu0.18.04.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
intel-microcode 3.20241112.0ubuntu0.16.04.1+esm1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7149-1
CVE-2024-21820, CVE-2024-21853, CVE-2024-23918, CVE-2024-23984,
CVE-2024-24968
Package Information:
https://launchpad.net/ubuntu/+source/intel-microcode/3.20241112.0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20241112.0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20241112.0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20241112.0ubuntu0.20.04.1
[USN-7148-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7148-1
December 10, 2024
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Lyu Tao discovered that the NFS implementation in the Linux kernel did not
properly handle requests to open a directory on a regular file. A local
attacker could use this to expose sensitive information (kernel memory).
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;
- ATM drivers;
- Device frequency scaling framework;
- GPU drivers;
- Hardware monitoring drivers;
- VMware VMCI Driver;
- MTD block device drivers;
- Network drivers;
- Device tree and open firmware driver;
- SCSI subsystem;
- USB Serial drivers;
- BTRFS file system;
- File systems infrastructure;
- F2FS file system;
- JFS file system;
- NILFS2 file system;
- Netfilter;
- Memory management;
- Ethernet bridge;
- IPv6 networking;
- Logical Link layer;
- MAC80211 subsystem;
- NFC subsystem;
- Network traffic control;
(CVE-2021-47055, CVE-2024-26675, CVE-2024-42244, CVE-2024-46743,
CVE-2024-41095, CVE-2024-46756, CVE-2024-46723, CVE-2024-46759,
CVE-2024-35877, CVE-2024-38538, CVE-2024-26668, CVE-2024-44998,
CVE-2024-42309, CVE-2024-46758, CVE-2024-46800, CVE-2022-48733,
CVE-2023-52531, CVE-2023-52599, CVE-2024-46722, CVE-2024-42240,
CVE-2024-44987, CVE-2023-52502, CVE-2023-52578, CVE-2024-41059,
CVE-2024-41071, CVE-2024-44942, CVE-2024-46738, CVE-2022-48943,
CVE-2023-52614, CVE-2024-27397, CVE-2024-38560, CVE-2024-43882,
CVE-2024-42104, CVE-2024-46757, CVE-2024-26636, CVE-2024-26633,
CVE-2024-41089, CVE-2024-42310, CVE-2022-48938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
linux-image-4.4.0-1139-kvm 4.4.0-1139.149
Available with Ubuntu Pro
linux-image-4.4.0-1176-aws 4.4.0-1176.191
Available with Ubuntu Pro
linux-image-4.4.0-261-generic 4.4.0-261.295
Available with Ubuntu Pro
linux-image-4.4.0-261-lowlatency 4.4.0-261.295
Available with Ubuntu Pro
linux-image-aws 4.4.0.1176.180
Available with Ubuntu Pro
linux-image-generic 4.4.0.261.267
Available with Ubuntu Pro
linux-image-generic-lts-xenial 4.4.0.261.267
Available with Ubuntu Pro
linux-image-kvm 4.4.0.1139.136
Available with Ubuntu Pro
linux-image-lowlatency 4.4.0.261.267
Available with Ubuntu Pro
linux-image-lowlatency-lts-xenial 4.4.0.261.267
Available with Ubuntu Pro
linux-image-virtual 4.4.0.261.267
Available with Ubuntu Pro
linux-image-virtual-lts-xenial 4.4.0.261.267
Available with Ubuntu Pro
Ubuntu 14.04 LTS
linux-image-4.4.0-1138-aws 4.4.0-1138.144
Available with Ubuntu Pro
linux-image-4.4.0-261-generic 4.4.0-261.295~14.04.1
Available with Ubuntu Pro
linux-image-4.4.0-261-lowlatency 4.4.0-261.295~14.04.1
Available with Ubuntu Pro
linux-image-aws 4.4.0.1138.135
Available with Ubuntu Pro
linux-image-generic-lts-xenial 4.4.0.261.295~14.04.1
Available with Ubuntu Pro
linux-image-lowlatency-lts-xenial 4.4.0.261.295~14.04.1
Available with Ubuntu Pro
linux-image-virtual-lts-xenial 4.4.0.261.295~14.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7148-1
CVE-2021-47055, CVE-2022-24448, CVE-2022-48733, CVE-2022-48938,
CVE-2022-48943, CVE-2023-52502, CVE-2023-52531, CVE-2023-52578,
CVE-2023-52599, CVE-2023-52614, CVE-2024-26633, CVE-2024-26636,
CVE-2024-26668, CVE-2024-26675, CVE-2024-27397, CVE-2024-35877,
CVE-2024-38538, CVE-2024-38560, CVE-2024-41059, CVE-2024-41071,
CVE-2024-41089, CVE-2024-41095, CVE-2024-42104, CVE-2024-42240,
CVE-2024-42244, CVE-2024-42309, CVE-2024-42310, CVE-2024-43882,
CVE-2024-44942, CVE-2024-44987, CVE-2024-44998, CVE-2024-46722,
CVE-2024-46723, CVE-2024-46738, CVE-2024-46743, CVE-2024-46756,
CVE-2024-46757, CVE-2024-46758, CVE-2024-46759, CVE-2024-46800
[USN-7147-1] Apache Shiro vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7147-1
December 10, 2024
shiro vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Apache Shiro.
Software Description:
- shiro: Powerful and easy-to-use Java security framework
Details:
It was discovered that Apache Shiro incorrectly handled path traversal when
used with other web frameworks or path rewriting. An attacker could
possibly use this issue to obtain sensitive information or administrative
privileges. This update provides the corresponding fix for Ubuntu 24.04 LTS
and Ubuntu 24.10. (CVE-2023-34478, CVE-2023-46749)
It was discovered that Apache Shiro incorrectly handled web redirects when
used together with the form authentication method. An attacker could
possibly use this issue to perform phishing attacks. This update provides
the corresponding fix for Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-46750)
It was discovered that Apache Shiro incorrectly handled requests through
servlet filtering. An attacker could possibly use this issue to obtain
administrative privileges. This update provides the corresponding fix for
Ubuntu 16.04 LTS. (CVE-2016-6802)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libshiro-java 1.3.2-5ubuntu0.24.10.1
Ubuntu 24.04 LTS
libshiro-java 1.3.2-5ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libshiro-java 1.2.4-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7147-1
CVE-2016-6802, CVE-2023-34478, CVE-2023-46749, CVE-2023-46750
Package Information:
https://launchpad.net/ubuntu/+source/shiro/1.3.2-5ubuntu0.24.10.1
