Ubuntu 6566 Published by

Ubuntu Linux has received two security updates: [USN-7064-2] addressing a nano vulnerability and [USN-7084-1] concerning a urllib3 vulnerability:

[USN-7064-2] nano vulnerability
[USN-7084-1] urllib3 vulnerability




[USN-7064-2] nano vulnerability


==========================================================================
Ubuntu Security Notice USN-7064-2
October 29, 2024

nano vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

nano could be made to give users administrator privileges.

Software Description:
- nano: small, friendly text editor inspired by Pico

Details:

USN-7064-1 fixed a vulnerability in nano. This update provides the
corresponding update for Ubuntu 14.04 LTS.

Original advisory details:

It was discovered that nano allowed a possible privilege escalation
through an insecure temporary file. If nano was killed while editing, the
permissions granted to the emergency save file could be used by an
attacker to escalate privileges using a malicious symlink.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
nano 2.2.6-1ubuntu1+esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7064-2
https://ubuntu.com/security/notices/USN-7064-1
CVE-2024-5742



[USN-7084-1] urllib3 vulnerability


==========================================================================
Ubuntu Security Notice USN-7084-1
October 29, 2024

python-urllib3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

urllib3 could leak sensitive information.

Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling

Details:

It was discovered that urllib3 didn't strip HTTP Proxy-Authorization header
on cross-origin redirects. A remote attacker could possibly use this issue
to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  python3-urllib3                 2.0.7-2ubuntu0.1

Ubuntu 24.04 LTS
  python3-urllib3                 2.0.7-1ubuntu0.1

Ubuntu 22.04 LTS
  python3-urllib3                 1.26.5-1~exp1ubuntu0.2

Ubuntu 20.04 LTS
  python3-urllib3                 1.25.8-2ubuntu0.4

Ubuntu 18.04 LTS
  python-urllib3                  1.22-1ubuntu0.18.04.2+esm2
                                  Available with Ubuntu Pro
  python3-urllib3                 1.22-1ubuntu0.18.04.2+esm2
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  python-urllib3                  1.13.1-2ubuntu0.16.04.4+esm2
                                  Available with Ubuntu Pro
  python3-urllib3                 1.13.1-2ubuntu0.16.04.4+esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7084-1
  CVE-2024-37891

Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.5-1~exp1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-urllib3/1.25.8-2ubuntu0.4