Ubuntu 6706 Published by

Ubuntu Linux has received updates addressing multiple security vulnerabilities, which include MariaDB, OVN, WebKitGTK, AOM, libtar, RabbitMQ Server, and PHP:

[USN-7376-2] MariaDB vulnerability
[USN-7396-1] OVN vulnerability
[USN-7395-1] WebKitGTK vulnerabilities
[USN-7397-1] AOM vulnerability
[USN-7398-1] libtar vulnerabilities
[USN-7399-1] RabbitMQ Server vulnerability
[USN-7400-1] PHP vulnerabilities




[USN-7376-2] MariaDB vulnerability


=========================================================================
Ubuntu Security Notice USN-7376-2
March 31, 2025

mariadb vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

A security issue was fixed in MariaDB.

Software Description:
- mariadb: MariaDB database
- mariadb-10.6: MariaDB database

Details:

USN-7376-1 fixed vulnerabilities in MariaDB. This update provides the
corresponding updates for Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.

Original advisory details:

A security issue was discovered in MariaDB and this update includes
a new upstream MariaDB version to fix the issue.

In addition to security fixes, the updated packages contain bug and
regression fixes, new features, and possibly incompatible changes.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
mariadb-server 1:10.11.11-0ubuntu0.24.04.2

Ubuntu 22.04 LTS
mariadb-server 1:10.6.21-0ubuntu0.22.04.2

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart MariaDB to
make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7376-2
https://ubuntu.com/security/notices/USN-7376-1
CVE-2025-21490

Package Information:
https://launchpad.net/ubuntu/+source/mariadb/1:10.11.11-0ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/mariadb-10.6/1:10.6.21-0ubuntu0.22.04.2



[USN-7396-1] OVN vulnerability


==========================================================================
Ubuntu Security Notice USN-7396-1
March 31, 2025

ovn vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

OVN would allow unintended access to the network.

Software Description:
- ovn: system to support virtual network abstraction

Details:

Marius Berntsberg, Trygve Vea, Tore Anderson, Rodolfo Alonso, Jay Faulkner,
and Brian Haley discovered that OVN incorrectly handled certain crafted UDP
packets. A remote attacker could possibly use this issue to bypass egress
ACL rules.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
ovn-central 24.09.0-1ubuntu0.1
ovn-common 24.09.0-1ubuntu0.1
ovn-docker 24.09.0-1ubuntu0.1
ovn-host 24.09.0-1ubuntu0.1
ovn-ic 24.09.0-1ubuntu0.1

Ubuntu 24.04 LTS
ovn-central 24.03.2-0ubuntu0.24.04.2
ovn-common 24.03.2-0ubuntu0.24.04.2
ovn-docker 24.03.2-0ubuntu0.24.04.2
ovn-host 24.03.2-0ubuntu0.24.04.2
ovn-ic 24.03.2-0ubuntu0.24.04.2

Ubuntu 22.04 LTS
ovn-central 22.03.3-0ubuntu0.22.04.5
ovn-common 22.03.3-0ubuntu0.22.04.5
ovn-docker 22.03.3-0ubuntu0.22.04.5
ovn-host 22.03.3-0ubuntu0.22.04.5
ovn-ic 22.03.3-0ubuntu0.22.04.5

Ubuntu 20.04 LTS
ovn-central 20.03.2-0ubuntu0.20.04.6
ovn-common 20.03.2-0ubuntu0.20.04.6
ovn-docker 20.03.2-0ubuntu0.20.04.6
ovn-host 20.03.2-0ubuntu0.20.04.6
ovn-ic 20.03.2-0ubuntu0.20.04.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7396-1
CVE-2025-0650

Package Information:
https://launchpad.net/ubuntu/+source/ovn/24.09.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ovn/24.03.2-0ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/ovn/22.03.3-0ubuntu0.22.04.5
https://launchpad.net/ubuntu/+source/ovn/20.03.2-0ubuntu0.20.04.6



[USN-7395-1] WebKitGTK vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7395-1
March 31, 2025

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libjavascriptcoregtk-4.1-0 2.48.0-0ubuntu0.24.10.1
libjavascriptcoregtk-6.0-1 2.48.0-0ubuntu0.24.10.1
libwebkit2gtk-4.1-0 2.48.0-0ubuntu0.24.10.1
libwebkitgtk-6.0-4 2.48.0-0ubuntu0.24.10.1

Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.48.0-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.48.0-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.48.0-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.48.0-0ubuntu0.24.04.1

Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.48.0-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.48.0-0ubuntu0.22.04.1
libjavascriptcoregtk-6.0-1 2.48.0-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.48.0-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.48.0-0ubuntu0.22.04.1
libwebkitgtk-6.0-4 2.48.0-0ubuntu0.22.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7395-1
CVE-2024-44192, CVE-2024-54467, CVE-2025-24201

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.48.0-0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.48.0-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.48.0-0ubuntu0.22.04.1



[USN-7397-1] AOM vulnerability


==========================================================================

Ubuntu Security Notice USN-7397-1
March 31, 2025

aom vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

AOM could be made to crash or run programs if it opened a specially crafted
file.

Software Description:
- aom: AV1 Video Codec Library

Details:

Xiantong Hou discovered that AOM did not properly handle certain malformed
media files. If an application using AOM opened a specially crafted file, a
remote attacker could cause a denial of service, or possibly execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
  aom-tools                       3.3.0-1ubuntu0.1
  libaom-dev                      3.3.0-1ubuntu0.1
  libaom3                         3.3.0-1ubuntu0.1

Ubuntu 20.04 LTS
  aom-tools                       1.0.0.errata1-3+deb11u1ubuntu0.1
  libaom-dev                      1.0.0.errata1-3+deb11u1ubuntu0.1
  libaom0                         1.0.0.errata1-3+deb11u1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7397-1
( https://ubuntu.com/security/notices/USN-7397-1)
  CVE-2024-5171

Package Information:
https://launchpad.net/ubuntu/+source/aom/3.3.0-1ubuntu0.1
( https://launchpad.net/ubuntu/+source/aom/3.3.0-1ubuntu0.1)
https://launchpad.net/ubuntu/+source/aom/1.0.0.errata1-3+deb11u1ubuntu0.1
( https://launchpad.net/ubuntu/+source/aom/1.0.0.errata1-3+deb11u1ubuntu0.1)



[USN-7398-1] libtar vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7398-1
March 31, 2025

libtar vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in libtar.

Software Description:
- libtar: C library for manipulating tar archives (development files)

Details:

It was discovered that libtar may perform out-of-bounds reads when
processing specially crafted tar files. An attacker could possibly use
this issue to cause libtar to crash, resulting in a denial of service,
or execute arbitrary code. (CVE-2021-33643, CVE-2021-33644)

It was discovered that libtar contained a memory leak due to failing
to free a variable, causing performance degradation. An attacker
could possibly use this issue to cause libtar to crash, resulting in a
denial of service. (CVE-2021-33645, CVE-2021-33646)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  libtar-dev                      1.2.20-8.1ubuntu0.24.10.1
  libtar0t64                      1.2.20-8.1ubuntu0.24.10.1

Ubuntu 24.04 LTS
  libtar-dev                      1.2.20-8.1ubuntu0.24.04.1
  libtar0t64                      1.2.20-8.1ubuntu0.24.04.1

Ubuntu 22.04 LTS
  libtar-dev                      1.2.20-8ubuntu0.22.04.1
  libtar0                         1.2.20-8ubuntu0.22.04.1

Ubuntu 20.04 LTS
  libtar-dev                      1.2.20-8ubuntu0.20.04.1
  libtar0                         1.2.20-8ubuntu0.20.04.1

Ubuntu 18.04 LTS
  libtar-dev                      1.2.20-7ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  libtar0                         1.2.20-7ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libtar-dev                      1.2.20-4ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  libtar0                         1.2.20-4ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7398-1
  CVE-2021-33643, CVE-2021-33644, CVE-2021-33645, CVE-2021-33646

Package Information:
https://launchpad.net/ubuntu/+source/libtar/1.2.20-8.1ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/libtar/1.2.20-8.1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/libtar/1.2.20-8ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/libtar/1.2.20-8ubuntu0.20.04.1



[USN-7399-1] RabbitMQ Server vulnerability


==========================================================================
Ubuntu Security Notice USN-7399-1
March 31, 2025

rabbitmq-server vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

RabbitMQ Server's management UI could be made to run code via
cross-site scripting (XSS).

Software Description:
- rabbitmq-server: AMQP server written in Erlang

Details:

It was discovered that RabbitMQ Server's management UI did not sanitize
certain input. An attacker could possibly use this issue to inject code
by performing a cross-site scripting (XSS) attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  rabbitmq-server                 3.12.1-1ubuntu2.1

Ubuntu 24.04 LTS
  rabbitmq-server                 3.12.1-1ubuntu1.2

Ubuntu 22.04 LTS
  rabbitmq-server                 3.9.27-0ubuntu0.2

Ubuntu 20.04 LTS
  rabbitmq-server                 3.8.3-0ubuntu0.3

After a standard system update you need to restart RabbitMQ Server to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7399-1
  CVE-2025-30219

Package Information:
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.12.1-1ubuntu2.1
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.12.1-1ubuntu1.2
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.9.27-0ubuntu0.2
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.3-0ubuntu0.3



[USN-7400-1] PHP vulnerabilities


=========================================================================
Ubuntu Security Notice USN-7400-1
March 31, 2025

php7.4, php8.1, php8.3 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handle certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2024-11235)

It was discovered that PHP incorrectly handle certain folded headers.
An attacker could possibly use this issue to cause a crash or
execute arbritrary code. (CVE-2025-1217)

It was discovered that PHP incorrectly handled certain headers.
An attacker could possibly use this issue to expose sensitive information
or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS
Ubuntu 24.10, and Ubuntu 24.04 LTS. (CVE-2025-1219)

It was discovered that PHP incorrectly handle certain headers with invalid
name and no colon. An attacker could possibly use this issue to confuse
applications into accepting invalid headers causing code injection.
(CVE-2025-1734)

It was discovered that PHP incorrectly handled certain headers.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.10, and Ubuntu 24.04
LTS. (CVE-2025-1736)

It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to expose sensitive
information. (CVE-2025-1861)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libapache2-mod-php8.3 8.3.11-0ubuntu0.24.10.5
php8.3 8.3.11-0ubuntu0.24.10.5
php8.3-cgi 8.3.11-0ubuntu0.24.10.5
php8.3-cli 8.3.11-0ubuntu0.24.10.5
php8.3-fpm 8.3.11-0ubuntu0.24.10.5

Ubuntu 24.04 LTS
libapache2-mod-php8.3 8.3.6-0ubuntu0.24.04.4
php8.3 8.3.6-0ubuntu0.24.04.4
php8.3-cgi 8.3.6-0ubuntu0.24.04.4
php8.3-cli 8.3.6-0ubuntu0.24.04.4
php8.3-fpm 8.3.6-0ubuntu0.24.04.4

Ubuntu 22.04 LTS
libapache2-mod-php7.4 8.1.2-1ubuntu2.21
libapache2-mod-php8.0 8.1.2-1ubuntu2.21
libapache2-mod-php8.1 8.1.2-1ubuntu2.21
php8.1 8.1.2-1ubuntu2.21
php8.1-cgi 8.1.2-1ubuntu2.21
php8.1-cli 8.1.2-1ubuntu2.21
php8.1-fpm 8.1.2-1ubuntu2.21

Ubuntu 20.04 LTS
libapache2-mod-php7.4 7.4.3-4ubuntu2.29
php7.4 7.4.3-4ubuntu2.29
php7.4-cgi 7.4.3-4ubuntu2.29
php7.4-cli 7.4.3-4ubuntu2.29
php7.4-fpm 7.4.3-4ubuntu2.29

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7400-1
CVE-2024-11235, CVE-2025-1217, CVE-2025-1219, CVE-2025-1734,
CVE-2025-1736, CVE-2025-1861

Package Information:
https://launchpad.net/ubuntu/+source/php8.3/8.3.11-0ubuntu0.24.10.5
https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.4
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.21
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.29