[USN-7173-3] Linux kernel (Raspberry Pi) vulnerabilities
[USN-7204-1] NeoMutt vulnerabilities
[USN-7173-3] Linux kernel (Raspberry Pi) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7173-3
January 15, 2025
linux-raspi-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems
Details:
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- Network drivers;
- SCSI subsystem;
- Ext4 file system;
- Bluetooth subsystem;
- Memory management;
- Amateur Radio drivers;
- Network traffic control;
- Sun RPC protocol;
- VMware vSockets driver;
(CVE-2023-52821, CVE-2024-40910, CVE-2024-43892, CVE-2024-49967,
CVE-2024-50264, CVE-2024-36952, CVE-2024-38553, CVE-2021-47101,
CVE-2021-47001, CVE-2024-35965, CVE-2024-35963, CVE-2024-35966,
CVE-2024-35967, CVE-2024-53057, CVE-2024-38597)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-5.4.0-1121-raspi 5.4.0-1121.133~18.04.1
Available with Ubuntu Pro
linux-image-raspi-hwe-18.04 5.4.0.1121.133~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7173-3
https://ubuntu.com/security/notices/USN-7173-2
https://ubuntu.com/security/notices/USN-7173-1
CVE-2021-47001, CVE-2021-47101, CVE-2022-38096, CVE-2023-52821,
CVE-2024-35963, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967,
CVE-2024-36952, CVE-2024-38553, CVE-2024-38597, CVE-2024-40910,
CVE-2024-43892, CVE-2024-49967, CVE-2024-50264, CVE-2024-53057
[USN-7204-1] NeoMutt vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7204-1
January 15, 2025
neomutt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in NeoMutt.
Software Description:
- neomutt: command line mail reader based on Mutt, with added features
Details:
Jeriko One discovered that NeoMutt incorrectly handled certain IMAP
and POP3 responses. An attacker could possibly use this issue to
cause NeoMutt to crash, resulting in a denial of service, or
the execution of arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-14349, CVE-2018-14350, CVE-2018-14351,
CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355,
CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359,
CVE-2018-14362)
Jeriko One discovered that NeoMutt incorrectly handled certain
NNTP-related operations. An attacker could possibly use this issue
to cause NeoMutt to crash, resulting in denial of service, or
the execution of arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-14360, CVE-2018-14361, CVE-2018-14363)
It was discovered that NeoMutt incorrectly processed additional data
when communicating with mail servers. An attacker could possibly use
this issue to access senstive information. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14954, CVE-2020-28896)
It was discovered that Neomutt incorrectly handled the IMAP QRSync
setting. An attacker could possibly use this issue to cause NeoMutt
to crash, resulting in denial of service. This issue only affected
Ubuntu 20.04 LTS. (CVE-2021-32055)
Tavis Ormandy discovered that NeoMutt incorrectly parsed uuencoded
text past the length of the string. An attacker could possibly use
this issue to enable the execution of arbitrary code. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-1328)
It was discovered that NeoMutt did not properly encrypt email headers.
An attacker could possibly use this issue to receive emails that were
not intended for them and access sensitive information. This
vulnerability was only fixed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
and Ubuntu 24.04 LTS. (CVE-2024-49393, CVE-2024-49394)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
neomutt 20231103+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
neomutt 20211029+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
neomutt 20191207+dfsg.1-1.1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
neomutt 20171215+dfsg.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7204-1
CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352,
CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356,
CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14360,
CVE-2018-14361, CVE-2018-14362, CVE-2018-14363, CVE-2020-14954,
CVE-2020-28896, CVE-2021-32055, CVE-2022-1328, CVE-2024-49393,
CVE-2024-49394
