Ubuntu 6658 Published by

Ubuntu Linux has received new security updates, addressing vulnerabilities in Jinja2, VLC, libxml2, BIND, the Linux kernel, and PHP:

[USN-7244-1] Jinja2 vulnerabilities
[USN-7243-1] VLC vulnerability
[USN-7240-1] libxml2 vulnerabilities
[USN-7241-1] Bind vulnerabilities
[USN-7236-2] Linux kernel (Low Latency) vulnerabilities
[USN-7157-3] PHP vulnerabilities




[USN-7244-1] Jinja2 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7244-1
January 30, 2025

jinja2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in jinja2.

Software Description:
- jinja2: small but fast and easy to use stand-alone template engine

Details:

It was discovered that Jinja2 incorrectly handled certain filenames when
compiling template content. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-56201)

It was discovered that Jinja2 incorrectly handled string formatting calls.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2024-56326)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  python3-jinja2                  3.1.3-1ubuntu1.24.10.1

Ubuntu 24.04 LTS
  python3-jinja2                  3.1.2-1ubuntu1.2

Ubuntu 22.04 LTS
  python3-jinja2                  3.0.3-1ubuntu0.3

Ubuntu 20.04 LTS
  python-jinja2                   2.10.1-2ubuntu0.4
  python3-jinja2                  2.10.1-2ubuntu0.4

Ubuntu 18.04 LTS
  python-jinja2                   2.10-1ubuntu0.18.04.1+esm3
                                  Available with Ubuntu Pro
  python3-jinja2                  2.10-1ubuntu0.18.04.1+esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7244-1
  CVE-2024-56201, CVE-2024-56326

Package Information:
https://launchpad.net/ubuntu/+source/jinja2/3.1.3-1ubuntu1.24.10.1
  https://launchpad.net/ubuntu/+source/jinja2/3.1.2-1ubuntu1.2
  https://launchpad.net/ubuntu/+source/jinja2/3.0.3-1ubuntu0.3
  https://launchpad.net/ubuntu/+source/jinja2/2.10.1-2ubuntu0.4



[USN-7243-1] VLC vulnerability


==========================================================================
Ubuntu Security Notice USN-7243-1
January 29, 2025

vlc vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

VLC could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- vlc: multimedia player and streamer

Details:

It was discovered that VLC incorrectly handled memory when reading a MMS
stream. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  vlc                             3.0.20-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  vlc                             3.0.16-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  vlc                             3.0.9.2-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  vlc                             3.0.8-0ubuntu18.04.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  vlc                             2.2.2-5ubuntu0.16.04.5+esm4
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7243-1
  CVE-2024-46461



[USN-7240-1] libxml2 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7240-1
January 29, 2025

libxml2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libxml2.

Software Description:
- libxml2: GNOME XML library

Details:

It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-49043)

It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. (CVE-2024-34459)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libxml2 2.9.14+dfsg-1.3ubuntu3.1

Ubuntu 22.04 LTS
libxml2 2.9.13+dfsg-1ubuntu0.5

Ubuntu 20.04 LTS
libxml2 2.9.10+dfsg-5ubuntu0.20.04.8

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7240-1
CVE-2022-49043, CVE-2024-34459

Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu3.1
https://launchpad.net/ubuntu/+source/libxml2/2.9.13+dfsg-1ubuntu0.5
https://launchpad.net/ubuntu/+source/libxml2/2.9.10+dfsg-5ubuntu0.20.04.8



[USN-7241-1] Bind vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7241-1
January 29, 2025

bind9 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Bind.

Software Description:
- bind9: Internet Domain Name Server

Details:

Toshifumi Sakaguchi discovered that Bind incorrectly handled many records
in the additional section. A remote attacker could possibly use this issue
to cause Bind to consume CPU resources, leading to a denial of service.
(CVE-2024-11187)

Jean-François Billaud discovered that the Bind DNS-over-HTTPS
implementation incorrectly handled a heavy query load. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2024-12705)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
bind9 1:9.20.0-2ubuntu3.1

Ubuntu 24.04 LTS
bind9 1:9.18.30-0ubuntu0.24.04.2

Ubuntu 22.04 LTS
bind9 1:9.18.30-0ubuntu0.22.04.2

Ubuntu 20.04 LTS
bind9 1:9.18.30-0ubuntu0.20.04.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7241-1
CVE-2024-11187, CVE-2024-12705

Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.20.0-2ubuntu3.1
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/bind9/1:9.18.30-0ubuntu0.20.04.2



[USN-7236-2] Linux kernel (Low Latency) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7236-2
January 29, 2025

linux-lowlatency-hwe-6.8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-lowlatency-hwe-6.8: Linux low latency kernel

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Netfilter;
- Network traffic control;
- VMware vSockets driver;
(CVE-2024-53164, CVE-2024-53103, CVE-2024-53141)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
linux-image-6.8.0-52-lowlatency 6.8.0-52.53.1~22.04.1
linux-image-6.8.0-52-lowlatency-64k 6.8.0-52.53.1~22.04.1
linux-image-lowlatency-64k-hwe-22.04 6.8.0-52.53.1~22.04.1
linux-image-lowlatency-hwe-22.04 6.8.0-52.53.1~22.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7236-2
https://ubuntu.com/security/notices/USN-7236-1
CVE-2024-53103, CVE-2024-53141, CVE-2024-53164

Package Information:

https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-52.53.1~22.04.1



[USN-7157-3] PHP vulnerabilities


==========================================================================

Ubuntu Security Notice USN-7157-3
January 29, 2025

php7.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.0: HTML-embedded scripting language interpreter

Details:

USN-7157-1 fixed vulnerabilities in PHP versions 7.4, 8.1, and 8.3.
This update provides the corresponding updates for PHP version 7.0.

Original advisory details:

 It was discovered that PHP incorrectly handled certain inputs when
 processed with convert.quoted-printable decode filters.
 An attacker could possibly use this issue to expose sensitive
 information or cause a crash. (CVE-2024-11233)

 It was discovered that PHP incorrectly handled certain HTTP requests.
 An attacker could possibly use this issue to performing arbitrary
 HTTP requests originating from the server, thus potentially
 gaining access to resources not normally available to the external
 user. (CVE-2024-11234)

 It was discovered that PHP incorrectly handled certain inputs.
 An attacker could possibly use this issue to cause a crash or
 execute arbitrary code. (CVE-2024-8932)

 It was discovered that PHP incorrectly handled certain MySQL requests.
 An attacker could possibly use this issue to cause the client to
 disclose the content of its heap containing data from other SQL requests
 and possible other data belonging to different users of the same server.
 (CVE-2024-8929)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
  libapache2-mod-php7.0           7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0                          7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-cgi                      7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-cli                      7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-ldap                     7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro
  php7.0-mysql                    7.0.33-0ubuntu0.16.04.16+esm14
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7157-3
( https://ubuntu.com/security/notices/USN-7157-3)
https://ubuntu.com/security/notices/USN-7157-2
( https://ubuntu.com/security/notices/USN-7157-2)
https://ubuntu.com/security/notices/USN-7157-1
( https://ubuntu.com/security/notices/USN-7157-1)
  CVE-2024-11233, CVE-2024-11234, CVE-2024-8929, CVE-2024-8932