[USN-7117-2] needrestart regression
[USN-7129-1] TinyGLTF vulnerability
[USN-7128-1] Pygments vulnerability
[USN-7126-1] libsoup vulnerabilities
[USN-7127-1] libsoup3 vulnerabilities
[USN-6988-2] Twisted vulnerability
[USN-7117-2] needrestart regression
==========================================================================
Ubuntu Security Notice USN-7117-2
November 26, 2024
needrestart regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-7117-1 caused some regression in needrestart.
Software Description:
- needrestart: check which daemons need to be restarted after library
upgrades
Details:
USN-7117-1 fixed vulnerabilities in needrestart. The update introduced a
regression in needrestart. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)
Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)
Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)
Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)
Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
needrestart 3.6-8ubuntu4.3
Ubuntu 24.04 LTS
needrestart 3.6-7ubuntu4.4
Ubuntu 22.04 LTS
needrestart 3.5-5ubuntu2.3
Ubuntu 20.04 LTS
needrestart 3.4-6ubuntu0.1+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
needrestart 3.1-1ubuntu0.1+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
needrestart 2.6-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7117-2
https://ubuntu.com/security/notices/USN-7117-1
https://launchpad.net/bugs/2089193
Package Information:
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.3
https://launchpad.net/ubuntu/+source/needrestart/3.6-7ubuntu4.4
https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.3
[USN-7129-1] TinyGLTF vulnerability
==========================================================================
Ubuntu Security Notice USN-7129-1
November 26, 2024
TinyGLTF vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
TinyGLTF could be made to crash or run programs as your login if it
received specially crafted input.
Software Description:
- tinygltf: glTF loader and saver library
Details:
It was discovered that TinyGLTF performed file path expansion in an
insecure way on certain inputs. An attacker could possibly use this
issue to cause a denial of service, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libtinygltf-dev 2.5.0+dfsg-4ubuntu0.1
libtinygltf1d 2.5.0+dfsg-4ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7129-1
CVE-2022-3008
Package Information:
https://launchpad.net/ubuntu/+source/tinygltf/2.5.0+dfsg-4ubuntu0.1
[USN-7128-1] Pygments vulnerability
==========================================================================
Ubuntu Security Notice USN-7128-1
November 26, 2024
pygments vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Pygments could be made to crash if it received specially crafted input.
Software Description:
- pygments: Generic syntax highlighter
Details:
Sebastian Chnelik discovered that Pygments had an inefficient regex query
for analyzing certain inputs. An attacker could possibly use this issue to
cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
python3-pygments 2.11.2+dfsg-2ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7128-1
CVE-2022-40896
Package Information:
https://launchpad.net/ubuntu/+source/pygments/2.11.2+dfsg-2ubuntu0.1
[USN-7126-1] libsoup vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7126-1
November 27, 2024
libsoup2.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in libsoup.
Software Description:
- libsoup2.4: HTTP client/server library for GNOME
Details:
It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. (CVE-2024-52530)
It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)
It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libsoup-2.4-1 2.74.3-7ubuntu0.1
Ubuntu 24.04 LTS
libsoup-2.4-1 2.74.3-6ubuntu1.1
Ubuntu 22.04 LTS
libsoup2.4-1 2.74.2-3ubuntu0.1
Ubuntu 20.04 LTS
libsoup2.4-1 2.70.0-1ubuntu0.1
Ubuntu 18.04 LTS
libsoup2.4-1 2.62.1-1ubuntu0.4+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7126-1
CVE-2024-52530, CVE-2024-52531, CVE-2024-52532
Package Information:
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-7ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.3-6ubuntu1.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.74.2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.70.0-1ubuntu0.1
[USN-7127-1] libsoup3 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7127-1
November 27, 2024
libsoup3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in libsoup3.
Software Description:
- libsoup3: GObject introspection data for the libsoup HTTP library
Details:
It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. This issue only affected Ubuntu 22.04 LTS
and Ubuntu 24.04 LTS. (CVE-2024-52530)
It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)
It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libsoup-3.0-0 3.6.0-2ubuntu0.1
Ubuntu 24.04 LTS
libsoup-3.0-0 3.4.4-5ubuntu0.1
Ubuntu 22.04 LTS
libsoup-3.0-0 3.0.7-0ubuntu1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7127-1
CVE-2024-52530, CVE-2024-52531, CVE-2024-52532
Package Information:
https://launchpad.net/ubuntu/+source/libsoup3/3.6.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup3/3.4.4-5ubuntu0.1
[USN-6988-2] Twisted vulnerability
==========================================================================
Ubuntu Security Notice USN-6988-2
November 26, 2024
twisted vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Twisted could allow unintended access to information over the network.
Software Description:
- twisted: Event-based framework for internet applications
Details:
USN-6988-1 fixed CVE-2024-41671 in Twisted. The USN incorrectly stated that
previous releases were unaffected. This update provides the equivalent fix
for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS.
Original advisory details:
Ben Kallus discovered that Twisted incorrectly handled response order when
processing multiple HTTP requests. A remote attacker could possibly use
this issue to delay and manipulate responses.
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
python3-twisted 22.1.0-2ubuntu2.6
Ubuntu 20.04 LTS
python3-twisted 18.9.0-11ubuntu0.20.04.5
Ubuntu 18.04 LTS
python-twisted 17.9.0-2ubuntu0.3+esm2
Available with Ubuntu Pro
python3-twisted 17.9.0-2ubuntu0.3+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6988-2
https://ubuntu.com/security/notices/USN-6988-1
CVE-2024-41671
Package Information:
https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.6
https://launchpad.net/ubuntu/+source/twisted/18.9.0-11ubuntu0.20.04.5
