[USN-6779-2] Firefox regressions
[USN-6787-1] Jinja2 vulnerability
[USN-6799-1] Werkzeug vulnerability
[USN-6798-1] GStreamer Base Plugins vulnerability
[USN-6796-1] TPM2 Software Stack vulnerabilities
[USN-6779-2] Firefox regressions
==========================================================================
Ubuntu Security Notice USN-6779-2
May 29, 2024
firefox regressions
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
USN-6779-1 caused some minor regressions in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
USN-6779-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-4767,
CVE-2024-4768, CVE-2024-4769, CVE-2024-4771, CVE-2024-4772, CVE-2024-4773,
CVE-2024-4774, CVE-2024-4775, CVE-2024-4776, CVE-2024-4777, CVE-2024-4778)
Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory
when audio input connected with multiple consumers. An attacker could
potentially exploit this issue to cause a denial of service, or execute
arbitrary code. (CVE-2024-4764)
Thomas Rinsma discovered that Firefox did not properly handle type check
when handling fonts in PDF.js. An attacker could potentially exploit this
issue to execute arbitrary javascript code in PDF.js. (CVE-2024-4367)
Irvan Kurniawan discovered that Firefox did not properly handle certain
font styles when saving a page to PDF. An attacker could potentially
exploit this issue to cause a denial of service. (CVE-2024-4770)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
firefox 126.0.1+build1-0ubuntu0.20.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-6779-2
https://ubuntu.com/security/notices/USN-6779-1
https://launchpad.net/bugs/2067445
Package Information:
https://launchpad.net/ubuntu/+source/firefox/126.0.1+build1-0ubuntu0.20.04.1
[USN-6787-1] Jinja2 vulnerability
==========================================================================
Ubuntu Security Notice USN-6787-1
May 28, 2024
jinja2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Jinja2 could allow cross-site scripting (XSS) attacks.
Software Description:
- jinja2: small but fast and easy to use stand-alone template engine
Details:
It was discovered that Jinja2 incorrectly handled certain HTML attributes
that were accepted by the xmlattr filter. An attacker could use this issue
to inject arbitrary HTML attribute keys and values to potentially execute
a cross-site scripting (XSS) attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-jinja2 3.1.2-1ubuntu1.1
Ubuntu 23.10
python3-jinja2 3.1.2-1ubuntu0.23.10.2
Ubuntu 22.04 LTS
python3-jinja2 3.0.3-1ubuntu0.2
Ubuntu 20.04 LTS
python-jinja2 2.10.1-2ubuntu0.3
python3-jinja2 2.10.1-2ubuntu0.3
Ubuntu 18.04 LTS
python-jinja2 2.10-1ubuntu0.18.04.1+esm2
Available with Ubuntu Pro
python3-jinja2 2.10-1ubuntu0.18.04.1+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-jinja2 2.8-1ubuntu0.1+esm3
Available with Ubuntu Pro
python3-jinja2 2.8-1ubuntu0.1+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python-jinja2 2.7.2-2ubuntu0.1~esm3
Available with Ubuntu Pro
python3-jinja2 2.7.2-2ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6787-1
CVE-2024-34064
Package Information:
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu0.23.10.2
https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.2
https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.3
[USN-6799-1] Werkzeug vulnerability
==========================================================================
Ubuntu Security Notice USN-6799-1
May 29, 2024
python-werkzeug vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Werkzeug could be made to execute code under certain circumstances.
Software Description:
- python-werkzeug: collection of utilities for WSGI applications
Details:
It was discovered that the debugger in Werkzeug was not restricted to
trusted hosts. A remote attacker could possibly use this issue to execute
code on the host under certain circumstances.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-werkzeug 3.0.1-3ubuntu0.1
Ubuntu 23.10
python3-werkzeug 2.2.2-3ubuntu0.1
Ubuntu 22.04 LTS
python3-werkzeug 2.0.2+dfsg1-1ubuntu0.22.04.2
Ubuntu 20.04 LTS
python3-werkzeug 0.16.1+dfsg1-2ubuntu0.2
Ubuntu 18.04 LTS
python-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
python3-werkzeug 0.14.1+dfsg1-1ubuntu0.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
python3-werkzeug 0.10.4+dfsg1-1ubuntu1.2+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6799-1
CVE-2024-34069
Package Information:
https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.2.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/python-werkzeug/0.16.1+dfsg1-2ubuntu0.2
[USN-6798-1] GStreamer Base Plugins vulnerability
==========================================================================
Ubuntu Security Notice USN-6798-1
May 29, 2024
gst-plugins-base1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
GStreamer Base Plugins could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gst-plugins-base1.0: GStreamer plugins
Details:
It was discovered that GStreamer Base Plugins incorrectly handled certain
EXIF metadata. An attacker could possibly use this issue to execute arbitrary
code or cause a crash.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
gstreamer1.0-plugins-base 1.24.2-1ubuntu0.1
Ubuntu 23.10
gstreamer1.0-plugins-base 1.22.6-1ubuntu0.1
Ubuntu 22.04 LTS
gstreamer1.0-plugins-base 1.20.1-1ubuntu0.2
Ubuntu 20.04 LTS
gstreamer1.0-plugins-base 1.16.3-0ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6798-1
CVE-2024-4453
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.24.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.22.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.20.1-1ubuntu0.2
https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.16.3-0ubuntu1.3
[USN-6796-1] TPM2 Software Stack vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6796-1
May 29, 2024
tpm2-tss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in TPM2 Software Stack.
Software Description:
- tpm2-tss: TPM2 Software Stack library
Details:
Fergus Dall discovered that TPM2 Software Stack did not properly handle
layer arrays. An attacker could possibly use this issue to cause
TPM2 Software Stack to crash, resulting in a denial of service, or
possibly execute arbitrary code.
(CVE-2023-22745)
Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not
validate the quote data after deserialization. An attacker could generate
an arbitrary quote and cause TPM2 Software Stack to have unknown behavior.
(CVE-2024-29040)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1
libtss2-fapi1t64 4.0.1-7.1ubuntu5.1
libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1
libtss2-policy0t64 4.0.1-7.1ubuntu5.1
libtss2-rc0t64 4.0.1-7.1ubuntu5.1
libtss2-sys1t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-cmd0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-libtpms0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1
libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1
libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1
Ubuntu 23.10
libtss2-esys-3.0.2-0 4.0.1-3ubuntu1.1
libtss2-fapi1 4.0.1-3ubuntu1.1
libtss2-mu0 4.0.1-3ubuntu1.1
libtss2-policy0 4.0.1-3ubuntu1.1
libtss2-rc0 4.0.1-3ubuntu1.1
libtss2-sys1 4.0.1-3ubuntu1.1
libtss2-tcti-cmd0 4.0.1-3ubuntu1.1
libtss2-tcti-device0 4.0.1-3ubuntu1.1
libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1
libtss2-tcti-mssim0 4.0.1-3ubuntu1.1
libtss2-tcti-pcap0 4.0.1-3ubuntu1.1
libtss2-tcti-spi-helper0 4.0.1-3ubuntu1.1
libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1
libtss2-tctildr0 4.0.1-3ubuntu1.1
Ubuntu 22.04 LTS
libtss2-esys-3.0.2-0 3.2.0-1ubuntu1.1
libtss2-fapi1 3.2.0-1ubuntu1.1
libtss2-mu0 3.2.0-1ubuntu1.1
libtss2-rc0 3.2.0-1ubuntu1.1
libtss2-sys1 3.2.0-1ubuntu1.1
libtss2-tcti-cmd0 3.2.0-1ubuntu1.1
libtss2-tcti-device0 3.2.0-1ubuntu1.1
libtss2-tcti-mssim0 3.2.0-1ubuntu1.1
libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1
libtss2-tctildr0 3.2.0-1ubuntu1.1
Ubuntu 20.04 LTS
libtss2-esys0 2.3.2-1ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6796-1
CVE-2023-22745, CVE-2024-29040
Package Information:
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1
https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2
