[LSN-0111-1] Linux kernel vulnerability
[USN-7442-1] Ruby vulnerabilities
[USN-7443-1] Erlang vulnerability
[LSN-0111-1] Linux kernel vulnerability
Linux kernel vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the kernel.
Software Description
- linux - Linux kernel
- linux-aws - Linux kernel for Amazon Web Services (AWS) systems
- linux-azure - Linux kernel for Microsoft Azure Cloud systems
- linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke - Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop - Linux kernel for Google Container Engine (GKE) systems
- linux-ibm - Linux kernel for IBM cloud systems
- linux-oracle - Linux kernel for Oracle Cloud systems
Details
It was discovered that the watch_queue event notification system
contained an out-of-bounds write vulnerability. A local attacker could
use this to cause a denial of service or escalate their privileges.
(CVE-2022-0995)
In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions
that are being teared down (status == SES_EXITING) to avoid UAF.
(CVE-2024-26928)
In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions
that are being teared down (status == SES_EXITING) to avoid UAF.
(CVE-2024-35864)
In the Linux kernel, the following vulnerability has been resolved: HID:
core: zero-initialize the report buffer Since the report buffer is used
by all kinds of drivers in various ways, let’s zero- initialize it
during allocation to make sure that it can’t be ever used to leak kernel
memory via specially-crafted report. (CVE-2024-50302)
In the Linux kernel, the following vulnerability has been resolved:
media: dvbdev: prevent the risk of out of memory access The dvbdev
contains a static variable used to store dvb minors. The behavior of it
depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set,
dvb_register_device() won’t check for boundaries, as it will rely that a
previous call to dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption that the
register functions already did the needed checks. This can be fragile if
some device ends using different calls. This also generate warnings on
static check analysers like Coverity. So, add explicit guards to prevent
potential risk of OOM issues. (CVE-2024-53063)
In the Linux kernel, the following vulnerability has been resolved: jfs:
add a check to prevent array-index-out-of-bounds in dbAdjTree When the
value of lp is 0 at the beginning of the for loop, it will become
negative in the next assignment and we should bail out. (CVE-2024-56595)
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix UAF in blkcg_unpin_online() blkcg_unpin_online() walks
up the blkcg hierarchy putting the online pin. To walk up, it uses
blkcg_parent(blkcg) but it was calling that after
blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
following UAF:
================================================================== BUG:
KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270 Read of
size 8 at addr ffff8881057678c0 by task kworker/9:1/117 CPU: 9 UID: 0
PID: 117 Comm: kworker/9:1 Not tainted
6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48 Hardware name: QEMU
Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022 Workqueue:
cgwb_release cgwb_release_workfn Call Trace:
dump_stack_lvl+0x27/0x80 print_report+0x151/0x710
kasan_report+0xc0/0x100 blkcg_unpin_online+0x15a/0x270
cgwb_release_workfn+0x194/0x480 process_scheduled_works+0x71b/0xe20
worker_thread+0x82a/0xbd0 kthread+0x242/0x2c0 ret_from_fork+0x33/0x70
ret_from_fork_asm+0x1a/0x30
… Freed by task 1944: kasan_save_track+0x2b/0x70
kasan_save_free_info+0x3c/0x50 __kasan_slab_free+0x33/0x50
kfree+0x10c/0x330 css_free_rwork_fn+0xe6/0xb30
process_scheduled_works+0x71b/0xe20 worker_thread+0x82a/0xbd0
kthread+0x242/0x2c0 ret_from_fork+0x33/0x70 ret_from_fork_asm+0x1a/0x30
Note that the UAF is not easy to trigger as the free path is indirected
behind a couple RCU grace periods and a work item execution. I could
only trigger it with artifical msleep() injected in
blkcg_unpin_online(). Fix it by reading the parent pointer before
destroying the blkcg’s blkg’s. (CVE-2024-56672)
In the Linux kernel, the following vulnerability has been resolved:
drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req() While receiving an MST up request message
from one thread in drm_dp_mst_handle_up_req(), the MST topology could be
removed from another thread via drm_dp_mst_topology_mgr_set_mst(false),
freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to
NULL. This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for
mst_primary in drm_dp_mst_handle_up_req() while it’s used. v2: Fix
kfreeing the request if getting an mst_primary reference fails.
(CVE-2024-57798)
Update instructions
The problem can be corrected by updating your kernel livepatch to the
following versions:
Ubuntu 20.04 LTS
aws - 111.1
azure - 111.1
gcp - 111.1
generic - 111.1
gkeop - 111.1
ibm - 111.1
lowlatency - 111.1
oracle - 111.1
Ubuntu 18.04 LTS
aws - 111.1
azure - 111.1
gcp - 111.1
generic - 111.1
lowlatency - 111.1
oracle - 111.1
Ubuntu 16.04 LTS
aws - 111.1
azure - 111.1
gcp - 111.1
generic - 111.1
lowlatency - 111.1
Ubuntu 22.04 LTS
aws - 111.1
azure - 111.1
gcp - 111.1
generic - 111.1
gke - 111.1
ibm - 111.1
oracle - 111.1
Ubuntu 14.04 LTS
generic - 111.1
lowlatency - 111.1
Support Information
Livepatches for supported LTS kernels will receive upgrades for a period
of up to 13 months after the build date of the kernel.
Livepatches for supported HWE kernels which are not based on an LTS
kernel version will receive upgrades for a period of up to 9 months
after the build date of the kernel, or until the end of support for that
kernel’s non-LTS distro release version, whichever is sooner.
References
- CVE-2022-0995
- CVE-2024-26928
- CVE-2024-35864
- CVE-2024-50302
- CVE-2024-53063
- CVE-2024-56595
- CVE-2024-56672
- CVE-2024-57798
[USN-7442-1] Ruby vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7442-1
April 17, 2025
ruby2.3, ruby2.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
cookies. A remote attacker could possibly use this issue to consume
resources, leading to a denial of service. (CVE-2025-27219)
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
regular expressions. A remote attacker could possibly use this issue to
consume resources, leading to a denial of service. (CVE-2025-27220)
It was discovered that the Ruby URI gem incorrectly handled certain URI
handling methods. A remote attacker could possibly use this issue to leak
authentication credentials. (CVE-2025-27221)
It was discovered that the Ruby REXML gem incorrectly handled parsing XML
documents containing many digits in a hex numeric character reference. A
remote attacker could use this issue to consume resources, leading to a
denial of service. (CVE-2024-49761)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
libruby2.5 2.5.1-1ubuntu1.16+esm4
Available with Ubuntu Pro
ruby2.5 2.5.1-1ubuntu1.16+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libruby2.3 2.3.1-2~ubuntu16.04.16+esm10
Available with Ubuntu Pro
ruby2.3 2.3.1-2~ubuntu16.04.16+esm10
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7442-1
CVE-2024-49761, CVE-2025-27219, CVE-2025-27220, CVE-2025-27221
[USN-7443-1] Erlang vulnerability
==========================================================================
Ubuntu Security Notice USN-7443-1
April 17, 2025
erlang vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Erlang could be made to run programs if it received specially crafted
network traffic.
Software Description:
- erlang: Concurrent, real-time, distributed functional language
Details:
Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk
discovered that Erlang OTP’s SSH module incorrect handled authentication. A
remote attacker could use this issue to execute arbitrary commands without
authentication, possibly leading to a system compromise.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
erlang 1:25.3.2.12+dfsg-1ubuntu2.3
erlang-ssh 1:25.3.2.12+dfsg-1ubuntu2.3
Ubuntu 24.04 LTS
erlang 1:25.3.2.8+dfsg-1ubuntu4.3
erlang-ssh 1:25.3.2.8+dfsg-1ubuntu4.3
Ubuntu 22.04 LTS
erlang 1:24.2.1+dfsg-1ubuntu0.4
erlang-ssh 1:24.2.1+dfsg-1ubuntu0.4
Ubuntu 20.04 LTS
erlang 1:22.2.7+dfsg-1ubuntu0.5
erlang-ssh 1:22.2.7+dfsg-1ubuntu0.5
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7443-1
CVE-2025-32433
Package Information:
https://launchpad.net/ubuntu/+source/erlang/1:25.3.2.12+dfsg-1ubuntu2.3
https://launchpad.net/ubuntu/+source/erlang/1:25.3.2.8+dfsg-1ubuntu4.3
https://launchpad.net/ubuntu/+source/erlang/1:24.2.1+dfsg-1ubuntu0.4
https://launchpad.net/ubuntu/+source/erlang/1:22.2.7+dfsg-1ubuntu0.5
