[USN-7244-1] Jinja2 vulnerabilities
[USN-7243-1] VLC vulnerability
[USN-7240-1] libxml2 vulnerabilities
[USN-7241-1] Bind vulnerabilities
[USN-7236-2] Linux kernel (Low Latency) vulnerabilities
[USN-7157-3] PHP vulnerabilities
[USN-7244-1] Jinja2 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7244-1
January 30, 2025
jinja2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in jinja2.
Software Description:
- jinja2: small but fast and easy to use stand-alone template engine
Details:
It was discovered that Jinja2 incorrectly handled certain filenames when
compiling template content. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-56201)
It was discovered that Jinja2 incorrectly handled string formatting calls.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2024-56326)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3-jinja2 3.1.3-1ubuntu1.24.10.1
Ubuntu 24.04 LTS
python3-jinja2 3.1.2-1ubuntu1.2
Ubuntu 22.04 LTS
python3-jinja2 3.0.3-1ubuntu0.3
Ubuntu 20.04 LTS
python-jinja2 2.10.1-2ubuntu0.4
python3-jinja2 2.10.1-2ubuntu0.4
Ubuntu 18.04 LTS
python-jinja2 2.10-1ubuntu0.18.04.1+esm3
Available with Ubuntu Pro
python3-jinja2 2.10-1ubuntu0.18.04.1+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7244-1
CVE-2024-56201, CVE-2024-56326
Package Information:
https://launchpad.net/ubuntu/+source/jinja2/3.1.3-1ubuntu1.24.10.1
https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.2
https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.3
https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.4
[USN-7243-1] VLC vulnerability
==========================================================================
Ubuntu Security Notice USN-7243-1
January 29, 2025
vlc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
VLC could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- vlc: multimedia player and streamer
Details:
It was discovered that VLC incorrectly handled memory when reading a MMS
stream. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
vlc 3.0.20-3ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
vlc 3.0.16-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
vlc 3.0.9.2-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
vlc 3.0.8-0ubuntu18.04.1+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
vlc 2.2.2-5ubuntu0.16.04.5+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7243-1
CVE-2024-46461
[USN-7240-1] libxml2 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7240-1
January 29, 2025
libxml2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in libxml2.
Software Description:
- libxml2: GNOME XML library
Details:
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-49043)
It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. (CVE-2024-34459)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libxml2 2.9.14+dfsg-1.3ubuntu3.1
Ubuntu 22.04 LTS
libxml2 2.9.13+dfsg-1ubuntu0.5
Ubuntu 20.04 LTS
libxml2 2.9.10+dfsg-5ubuntu0.20.04.8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7240-1
CVE-2022-49043, CVE-2024-34459
Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu3.1
https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.5
https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.8
[USN-7241-1] Bind vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7241-1
January 29, 2025
bind9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Bind.
Software Description:
- bind9: Internet Domain Name Server
Details:
Toshifumi Sakaguchi discovered that Bind incorrectly handled many records
in the additional section. A remote attacker could possibly use this issue
to cause Bind to consume CPU resources, leading to a denial of service.
(CVE-2024-11187)
Jean-François Billaud discovered that the Bind DNS-over-HTTPS
implementation incorrectly handled a heavy query load. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2024-12705)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
bind9 1:9.20.0-2ubuntu3.1
Ubuntu 24.04 LTS
bind9 1:9.18.30-0ubuntu0.24.04.2
Ubuntu 22.04 LTS
bind9 1:9.18.30-0ubuntu0.22.04.2
Ubuntu 20.04 LTS
bind9 1:9.18.30-0ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7241-1
CVE-2024-11187, CVE-2024-12705
Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.20.0-2ubuntu3.1
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.20.04.2
[USN-7236-2] Linux kernel (Low Latency) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7236-2
January 29, 2025
linux-lowlatency-hwe-6.8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lowlatency-hwe-6.8: Linux low latency kernel
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Netfilter;
- Network traffic control;
- VMware vSockets driver;
(CVE-2024-53164, CVE-2024-53103, CVE-2024-53141)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-6.8.0-52-lowlatency 6.8.0-52.53.1~22.04.1
linux-image-6.8.0-52-lowlatency-64k 6.8.0-52.53.1~22.04.1
linux-image-lowlatency-64k-hwe-22.04 6.8.0-52.53.1~22.04.1
linux-image-lowlatency-hwe-22.04 6.8.0-52.53.1~22.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7236-2
https://ubuntu.com/security/notices/USN-7236-1
CVE-2024-53103, CVE-2024-53141, CVE-2024-53164
Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-52.53.1~22.04.1
[USN-7157-3] PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7157-3
January 29, 2025
php7.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-7157-1 fixed vulnerabilities in PHP versions 7.4, 8.1, and 8.3.
This update provides the corresponding updates for PHP version 7.0.
Original advisory details:
It was discovered that PHP incorrectly handled certain inputs when
processed with convert.quoted-printable decode filters.
An attacker could possibly use this issue to expose sensitive
information or cause a crash. (CVE-2024-11233)
It was discovered that PHP incorrectly handled certain HTTP requests.
An attacker could possibly use this issue to performing arbitrary
HTTP requests originating from the server, thus potentially
gaining access to resources not normally available to the external
user. (CVE-2024-11234)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2024-8932)
It was discovered that PHP incorrectly handled certain MySQL requests.
An attacker could possibly use this issue to cause the client to
disclose the content of its heap containing data from other SQL requests
and possible other data belonging to different users of the same server.
(CVE-2024-8929)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
php7.0 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
php7.0-ldap 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
php7.0-mysql 7.0.33-0ubuntu0.16.04.16+esm14
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7157-3
( https://ubuntu.com/security/notices/USN-7157-3)
https://ubuntu.com/security/notices/USN-7157-2
( https://ubuntu.com/security/notices/USN-7157-2)
https://ubuntu.com/security/notices/USN-7157-1
( https://ubuntu.com/security/notices/USN-7157-1)
CVE-2024-11233, CVE-2024-11234, CVE-2024-8929, CVE-2024-8932