[USN-7210-1] .NET vulnerabilities
[USN-7212-1] Python 2.7 vulnerabilities
[USN-7215-1] libxml2 vulnerability
[USN-7214-1] HarfBuzz vulnerability
[USN-7213-1] poppler vulnerability
[USN-7211-1] Audacity vulnerability
[USN-7216-1] tqdm vulnerability
[USN-7206-2] rsync regression
[USN-7209-1] GIMP DDS Plugin vulnerability
[USN-7208-1] Apache Commons BCEL vulnerability
[USN-7210-1] .NET vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7210-1
January 16, 2025
dotnet8, dotnet9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in .NET.
Software Description:
- dotnet8: .NET CLI tools and runtime
- dotnet9: .NET CLI tools and runtime
Details:
It was discovered that .NET did not properly handle input provided to its
Convert.TryToHexString method. An attacker could possibly use this issue
to execute arbitrary code. (CVE-2025-21171)
It was discovered that .NET did not properly handle an integer overflow
when processing certain specially crafted files. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2025-21172)
Daniel Plaisted and Noah Gilson discovered that .NET insecurely handled
temporary file usage which could result in malicious package dependency
injection. An attacker could possibly use this issue to elevate privileges.
(CVE-2025-21173)
It was discovered that .NET did not properly perform input data validation
when processing certain specially crafted files. An attacker could
possibly use this issue to execute arbitrary code. (CVE-2025-21176)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
aspnetcore-runtime-8.0 8.0.12-0ubuntu1~24.10.1
aspnetcore-runtime-9.0 9.0.1-0ubuntu1~24.10.1
dotnet-host-8.0 8.0.12-0ubuntu1~24.10.1
dotnet-host-9.0 9.0.1-0ubuntu1~24.10.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu1~24.10.1
dotnet-hostfxr-9.0 9.0.1-0ubuntu1~24.10.1
dotnet-runtime-8.0 8.0.12-0ubuntu1~24.10.1
dotnet-runtime-9.0 9.0.1-0ubuntu1~24.10.1
dotnet-sdk-8.0 8.0.112-0ubuntu1~24.10.1
dotnet-sdk-9.0 9.0.102-0ubuntu1~24.10.1
dotnet8 8.0.112-8.0.12-0ubuntu1~24.10.1
dotnet9 9.0.102-9.0.1-0ubuntu1~24.10.1
Ubuntu 24.04 LTS
aspnetcore-runtime-8.0 8.0.12-0ubuntu1~24.04.1
dotnet-host-8.0 8.0.12-0ubuntu1~24.04.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu1~24.04.1
dotnet-runtime-8.0 8.0.12-0ubuntu1~24.04.1
dotnet-sdk-8.0 8.0.112-0ubuntu1~24.04.1
dotnet8 8.0.112-8.0.12-0ubuntu1~24.04.1
Ubuntu 22.04 LTS
aspnetcore-runtime-8.0 8.0.12-0ubuntu1~22.04.1
dotnet-host-8.0 8.0.12-0ubuntu1~22.04.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu1~22.04.1
dotnet-runtime-8.0 8.0.12-0ubuntu1~22.04.1
dotnet-sdk-8.0 8.0.112-0ubuntu1~22.04.1
dotnet8 8.0.112-8.0.12-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7210-1
CVE-2025-21171, CVE-2025-21172, CVE-2025-21173, CVE-2025-21176
Package Information:
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~24.10.1
https://launchpad.net/ubuntu/+source/dotnet9/9.0.102-9.0.1-0ubuntu1~24.10.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.112-8.0.12-0ubuntu1~22.04.1
[USN-7212-1] Python 2.7 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7212-1
January 16, 2025
python2.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Python 2.7.
Software Description:
- python2.7: An interactive high-level object-oriented language
Details:
It was discovered that Python incorrectly handled certain ZIP files. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 22.04 LTS. (CVE-2019-9674)
It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-45061)
It was discovered that Python incorrectly handled certain crafted ZIP
files. An attacker could possibly use this issue to crash the program,
resulting in a denial of service. (CVE-2024-0450)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
python2.7 2.7.18-13ubuntu1.5+esm3
Available with Ubuntu Pro
python2.7-minimal 2.7.18-13ubuntu1.5+esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python2.7 2.7.18-1~20.04.7+esm4
Available with Ubuntu Pro
python2.7-minimal 2.7.18-1~20.04.7+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7212-1
CVE-2019-9674, CVE-2022-45061, CVE-2024-0450
[USN-7215-1] libxml2 vulnerability
==========================================================================
Ubuntu Security Notice USN-7215-1
January 16, 2025
libxml2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
libxml2 could be made to expose sensitive information over the network.
Software Description:
- libxml2: GNOME XML library
Details:
Xisco Fauli discovered that libxml2 incorrectly handled custom SAX
handlers. A remote attacker could possibly use this issue to perform XML
External Entity (XXE) attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libxml2 2.12.7+dfsg-3ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7215-1
CVE-2024-40896
Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.12.7+dfsg-3ubuntu0.1
[USN-7214-1] HarfBuzz vulnerability
==========================================================================
Ubuntu Security Notice USN-7214-1
January 16, 2025
harfbuzz vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
HarfBuzz could be made to crash or run programs as your login if it opened
a specially crafted file.
Software Description:
- harfbuzz: OpenType text shaping engine
Details:
It was discovered that HarfBuzz incorrecty handled certain memory
operations. A remote attacker could use this issue to cause HarfBuzz to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libharfbuzz-cairo0 9.0.0-1ubuntu0.1
libharfbuzz0b 9.0.0-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7214-1
CVE-2024-56732
Package Information:
https://launchpad.net/ubuntu/+source/harfbuzz/9.0.0-1ubuntu0.1
[USN-7213-1] poppler vulnerability
==========================================================================
Ubuntu Security Notice USN-7213-1
January 16, 2025
poppler vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
poppler could be made to crash or expose sensitive information if it opened
a specially crafted file.
Software Description:
- poppler: PDF rendering library
Details:
It was discovered that poppler incorrectly handled memory when opening
certain PDF files. An attacker could possibly use this issue to cause
denial of service or obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libpoppler140 24.08.0-1ubuntu0.1
poppler-utils 24.08.0-1ubuntu0.1
Ubuntu 24.04 LTS
libpoppler134 24.02.0-1ubuntu9.2
poppler-utils 24.02.0-1ubuntu9.2
Ubuntu 22.04 LTS
libpoppler118 22.02.0-2ubuntu0.6
poppler-utils 22.02.0-2ubuntu0.6
Ubuntu 20.04 LTS
libpoppler97 0.86.1-0ubuntu1.5
poppler-utils 0.86.1-0ubuntu1.5
Ubuntu 18.04 LTS
libpoppler73 0.62.0-2ubuntu2.14+esm4
Available with Ubuntu Pro
poppler-utils 0.62.0-2ubuntu2.14+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libpoppler58 0.41.0-0ubuntu1.16+esm5
Available with Ubuntu Pro
poppler-utils 0.41.0-0ubuntu1.16+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7213-1
CVE-2024-56378
Package Information:
https://launchpad.net/ubuntu/+source/poppler/24.08.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/poppler/24.02.0-1ubuntu9.2
https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.6
https://launchpad.net/ubuntu/+source/poppler/0.86.1-0ubuntu1.5
[USN-7211-1] Audacity vulnerability
==========================================================================
Ubuntu Security Notice USN-7211-1
January 16, 2025
audacity vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Audacity could expose sensitive information.
Software Description:
- audacity: fast, cross-platform audio editor
Details:
Mike Salvatore discovered that Audacity incorrectly handled default
permissions of temporary files created by the application. An attacker
could possibly use this issue to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
audacity 2.3.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
audacity 2.2.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
audacity 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7211-1
CVE-2020-11867
[USN-7216-1] tqdm vulnerability
==========================================================================
Ubuntu Security Notice USN-7216-1
January 16, 2025
tqdm vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
tqdm could be made to crash or to allow arbitary code execution if it
received specially crafted input.
Software Description:
- tqdm: fast, extensible progress bar for Python 3 and CLI tool
Details:
It was discovered that tqdm did not properly sanitize non-boolean CLI
Arguments. A local attacker could possibly use this issue to execute
arbitrary code on the host. This issue only affected Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2024-34062)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-tqdm 4.66.2-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-tqdm 4.57.0-2ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7216-1
CVE-2024-34062
[USN-7206-2] rsync regression
==========================================================================
Ubuntu Security Notice USN-7206-2
January 16, 2025
rsync regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-7206-1 caused some regression in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
USN-7206-1 fixed vulnerabilities in rsync. The update introduced a
regression in rsync. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
rsync 3.2.7-1ubuntu1.2
Ubuntu 22.04 LTS
rsync 3.2.7-0ubuntu0.22.04.4
Ubuntu 20.04 LTS
rsync 3.1.3-8ubuntu0.9
Ubuntu 18.04 LTS
rsync 3.1.2-2.1ubuntu1.6+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
rsync 3.1.1-3ubuntu1.3+esm4
Available with Ubuntu Pro
Ubuntu 14.04 LTS
rsync 3.1.0-2ubuntu0.4+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7206-2
https://ubuntu.com/security/notices/USN-7206-1
https://launchpad.net/bugs/2095004
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.2.7-1ubuntu1.2
https://launchpad.net/ubuntu/+source/rsync/3.2.7-0ubuntu0.22.04.4
https://launchpad.net/ubuntu/+source/rsync/3.1.3-8ubuntu0.9
[USN-7209-1] GIMP DDS Plugin vulnerability
==========================================================================
Ubuntu Security Notice USN-7209-1
January 16, 2025
gimp-dds vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
The GIMP DDS Plugin could be made to crash or run programs as
your login if it opened a specially crafted file.
Software Description:
- gimp-dds: DDS (DirectDraw Surface) plugin for GIMP
Details:
Jacob Boerema discovered that the GIMP DDS Plugin incorrectly
processed DDS files due to a memory issue. An attacker could
exploit this through a specifically crafted DDS file to cause
GIMP to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
gimp-dds 3.0.1-1+deb10u1build0.22.04.1
Ubuntu 20.04 LTS
gimp-dds 3.0.1-1+deb10u1build0.20.04.1
Ubuntu 18.04 LTS
gimp-dds 3.0.1-1+deb10u1build0.18.04.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
gimp-dds 3.0.1-1+deb10u1build0.16.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7209-1
CVE-2023-44441
Package Information:
https://launchpad.net/ubuntu/+source/gimp-dds/3.0.1-1+deb10u1build0.22.04.1
https://launchpad.net/ubuntu/+source/gimp-dds/3.0.1-1+deb10u1build0.20.04.1
[USN-7208-1] Apache Commons BCEL vulnerability
==========================================================================
Ubuntu Security Notice USN-7208-1
January 16, 2025
bcel vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Apache Commons BCEL could be made to crash or run programs
if it received specially crafted network traffic.
Software Description:
- bcel: Analyze, create, and manipulate (binary) Java class files
Details:
Felix Wilhelm discovered that Apache Commons BCEL APIs
incorrectly handled parameters due to a memory issue. An
attacker supplying malicious input could exploit this to
generate and execute arbitrary bytecode.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libbcel-java 6.5.0-1ubuntu0.1
Ubuntu 20.04 LTS
libbcel-java 6.4.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libbcel-java 6.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libbcel-java 6.0~rc3-2ubuntu1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7208-1
CVE-2022-42920
Package Information:
https://launchpad.net/ubuntu/+source/bcel/6.5.0-1ubuntu0.1
