Ubuntu 6701 Published by

Ubuntu Linux has received updates addressing security vulnerabilities, including those related to nginx, iniParser, libcap2, KVM, and the kernel:

[USN-7285-1] nginx vulnerability
[USN-7286-1] iniParser vulnerability
[USN-7287-1] libcap2 vulnerability
[USN-7262-2] Linux kernel (KVM) vulnerabilities
[USN-7289-1] Linux kernel vulnerabilities




[USN-7285-1] nginx vulnerability


=========================================================================
Ubuntu Security Notice USN-7285-1
February 24, 2025

nginx vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in nginx.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

It was discovered that nginx incorrectly handled when multiple
server blocks are configured to share the same IP address and port.
An attacker could use this issue to use session resumption to bypass
client certificate authentication requirements on these servers.
This issue only affected Ubuntu 24.10.

A buffer overflow and a null pointer deref was fixed in nginx rtmp module
(#LP 1977718). This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
nginx 1.26.0-2ubuntu3.2
nginx-common 1.26.0-2ubuntu3.2
nginx-core 1.26.0-2ubuntu3.2
nginx-dev 1.26.0-2ubuntu3.2
nginx-doc 1.26.0-2ubuntu3.2
nginx-extras 1.26.0-2ubuntu3.2
nginx-full 1.26.0-2ubuntu3.2
nginx-light 1.26.0-2ubuntu3.2

Ubuntu 22.04 LTS
libnginx-mod-rtmp 1.18.0-6ubuntu14.6
nginx 1.18.0-6ubuntu14.6
nginx-common 1.18.0-6ubuntu14.6
nginx-core 1.18.0-6ubuntu14.6
nginx-doc 1.18.0-6ubuntu14.6
nginx-extras 1.18.0-6ubuntu14.6
nginx-full 1.18.0-6ubuntu14.6
nginx-light 1.18.0-6ubuntu14.6

Ubuntu 20.04 LTS
libnginx-mod-rtmp 1.18.0-0ubuntu1.7
nginx 1.18.0-0ubuntu1.7
nginx-common 1.18.0-0ubuntu1.7
nginx-core 1.18.0-0ubuntu1.7
nginx-doc 1.18.0-0ubuntu1.7
nginx-extras 1.18.0-0ubuntu1.7
nginx-full 1.18.0-0ubuntu1.7
nginx-light 1.18.0-0ubuntu1.7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7285-1
CVE-2025-23419, https://launchpad.net/bugs/1977718

Package Information:
https://launchpad.net/ubuntu/+source/nginx/1.26.0-2ubuntu3.2
https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.6
https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.7



[USN-7286-1] iniParser vulnerability


==========================================================================
Ubuntu Security Notice USN-7286-1
February 24, 2025

iniparser vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

iniparser could be made to crash if it opened a specially crafted file.

Software Description:
- iniparser: INI file reader/writer

Details:

It was discovered that iniParser incorrectly handled certain files. An
attacker could possibly use this issue to cause iniParser to crash,
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libiniparser1 4.2.1-1ubuntu0.1

Ubuntu 24.04 LTS
libiniparser1 4.1-7ubuntu0.1

Ubuntu 22.04 LTS
libiniparser1 4.1-4ubuntu4.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7286-1
CVE-2025-0633

Package Information:
https://launchpad.net/ubuntu/+source/iniparser/4.2.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/iniparser/4.1-7ubuntu0.1
https://launchpad.net/ubuntu/+source/iniparser/4.1-4ubuntu4.2



[USN-7287-1] libcap2 vulnerability


==========================================================================
Ubuntu Security Notice USN-7287-1
February 24, 2025

libcap2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

libcap2 would allow unintended capabilities.

Software Description:
- libcap2: POSIX 1003.1e capabilities (library)

Details:

Tianjia Zhang discovered the libcap2 PAM module pam_cap incorrectly
handled parsing group names in the configuration file. This could result in
certain users being granted capabilities, contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libpam-cap 1:2.66-5ubuntu3.1

Ubuntu 24.04 LTS
libpam-cap 1:2.66-5ubuntu2.2

Ubuntu 22.04 LTS
libpam-cap 1:2.44-1ubuntu0.22.04.2

Ubuntu 20.04 LTS
libpam-cap 1:2.32-1ubuntu0.2

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7287-1
CVE-2025-1390

Package Information:
https://launchpad.net/ubuntu/+source/libcap2/1:2.66-5ubuntu3.1
https://launchpad.net/ubuntu/+source/libcap2/1:2.66-5ubuntu2.2
https://launchpad.net/ubuntu/+source/libcap2/1:2.44-1ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/libcap2/1:2.32-1ubuntu0.2



[USN-7262-2] Linux kernel (KVM) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7262-2
February 24, 2025

linux-kvm vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-kvm: Linux kernel for cloud environments

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Multiple devices driver;
- Network drivers;
- Sonic Silicon Backplane drivers;
- File systems infrastructure;
- Closures library;
- Netfilter;
(CVE-2024-41012, CVE-2024-38597, CVE-2024-42252, CVE-2024-43914,
CVE-2024-38553, CVE-2024-40982, CVE-2024-41066, CVE-2024-42311,
CVE-2024-41020, CVE-2024-53141)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1141-kvm 4.4.0-1141.152
Available with Ubuntu Pro
linux-image-kvm 4.4.0.1141.138
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7262-2
https://ubuntu.com/security/notices/USN-7262-1
CVE-2024-38553, CVE-2024-38597, CVE-2024-40982, CVE-2024-41012,
CVE-2024-41020, CVE-2024-41066, CVE-2024-42252, CVE-2024-42311,
CVE-2024-43914, CVE-2024-53141



[USN-7289-1] Linux kernel vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7289-1
February 24, 2025

linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, linux-oracle
vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-nvidia: Linux kernel for NVIDIA systems
- linux-oracle: Linux kernel for Oracle Cloud systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- x86 architecture;
- Block layer subsystem;
- ACPI drivers;
- GPU drivers;
- HID subsystem;
- I2C subsystem;
- IIO ADC drivers;
- IIO subsystem;
- InfiniBand drivers;
- IOMMU subsystem;
- IRQ chip drivers;
- Multiple devices driver;
- Media drivers;
- Network drivers;
- STMicroelectronics network drivers;
- Parport drivers;
- Pin controllers subsystem;
- Direct Digital Synthesis drivers;
- TCM subsystem;
- TTY drivers;
- USB Dual Role (OTG-ready) Controller drivers;
- USB Serial drivers;
- USB Type-C support driver;
- USB Type-C Connector System Software Interface driver;
- BTRFS file system;
- File systems infrastructure;
- Network file system (NFS) client;
- NILFS2 file system;
- NTFS3 file system;
- SMB network file system;
- User-space API (UAPI);
- io_uring subsystem;
- BPF subsystem;
- Timer substystem drivers;
- Tracing infrastructure;
- Closures library;
- Memory management;
- Amateur Radio drivers;
- Bluetooth subsystem;
- Networking core;
- IPv4 networking;
- MAC80211 subsystem;
- Multipath TCP;
- Netfilter;
- Network traffic control;
- SCTP protocol;
- XFRM subsystem;
- Key management;
- FireWire sound drivers;
- HD-audio driver;
- QCOM ASoC drivers;
- STMicroelectronics SoC drivers;
- KVM core;
(CVE-2024-50196, CVE-2024-50199, CVE-2024-53055, CVE-2024-53101,
CVE-2024-50160, CVE-2024-50257, CVE-2024-50148, CVE-2024-50182,
CVE-2024-50162, CVE-2024-50249, CVE-2024-50127, CVE-2024-50115,
CVE-2024-50192, CVE-2024-50218, CVE-2024-50086, CVE-2024-50262,
CVE-2024-50201, CVE-2024-50082, CVE-2024-50110, CVE-2023-52913,
CVE-2024-50290, CVE-2024-50269, CVE-2024-50208, CVE-2024-50103,
CVE-2024-50194, CVE-2024-50237, CVE-2024-50245, CVE-2024-50128,
CVE-2024-53052, CVE-2024-50117, CVE-2024-42252, CVE-2024-50233,
CVE-2024-50058, CVE-2024-50229, CVE-2024-40965, CVE-2024-50265,
CVE-2024-50143, CVE-2024-50205, CVE-2024-50131, CVE-2024-50236,
CVE-2024-53066, CVE-2024-50268, CVE-2024-41066, CVE-2024-53088,
CVE-2024-50209, CVE-2024-40953, CVE-2024-50168, CVE-2024-50010,
CVE-2024-50195, CVE-2024-50171, CVE-2024-53058, CVE-2024-50267,
CVE-2024-53061, CVE-2024-53042, CVE-2024-53104, CVE-2024-50247,
CVE-2024-50101, CVE-2024-53063, CVE-2024-50167, CVE-2024-50273,
CVE-2024-50163, CVE-2024-50085, CVE-2024-50154, CVE-2024-50301,
CVE-2024-50259, CVE-2024-50292, CVE-2024-50185, CVE-2024-26718,
CVE-2024-50116, CVE-2024-50302, CVE-2024-50083, CVE-2024-50299,
CVE-2024-50036, CVE-2024-50251, CVE-2024-50202, CVE-2024-50099,
CVE-2024-50279, CVE-2024-50232, CVE-2024-53059, CVE-2024-50153,
CVE-2024-50156, CVE-2024-41080, CVE-2024-50193, CVE-2024-50287,
CVE-2024-50141, CVE-2024-50296, CVE-2024-50230, CVE-2024-50074,
CVE-2024-50234, CVE-2024-50142, CVE-2024-42291, CVE-2024-50151,
CVE-2024-50295, CVE-2024-50150, CVE-2024-50282, CVE-2024-50278,
CVE-2024-50198, CVE-2024-53097, CVE-2024-50244, CVE-2024-50134,
CVE-2024-39497, CVE-2024-50072, CVE-2024-35887)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
linux-image-5.15.0-1060-gkeop 5.15.0-1060.68
linux-image-5.15.0-1072-nvidia 5.15.0-1072.73
linux-image-5.15.0-1072-nvidia-lowlatency 5.15.0-1072.73
linux-image-5.15.0-1075-oracle 5.15.0-1075.81
linux-image-5.15.0-1081-azure 5.15.0-1081.90
linux-image-5.15.0-1081-azure-fde 5.15.0-1081.90.1
linux-image-azure-fde-lts-22.04 5.15.0.1081.90.58
linux-image-azure-lts-22.04 5.15.0.1081.79
linux-image-gkeop 5.15.0.1060.59
linux-image-gkeop-5.15 5.15.0.1060.59
linux-image-nvidia 5.15.0.1072.72
linux-image-nvidia-lowlatency 5.15.0.1072.72
linux-image-oracle-lts-22.04 5.15.0.1075.71

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7289-1
CVE-2023-52913, CVE-2024-26718, CVE-2024-35887, CVE-2024-39497,
CVE-2024-40953, CVE-2024-40965, CVE-2024-41066, CVE-2024-41080,
CVE-2024-42252, CVE-2024-42291, CVE-2024-50010, CVE-2024-50036,
CVE-2024-50058, CVE-2024-50072, CVE-2024-50074, CVE-2024-50082,
CVE-2024-50083, CVE-2024-50085, CVE-2024-50086, CVE-2024-50099,
CVE-2024-50101, CVE-2024-50103, CVE-2024-50110, CVE-2024-50115,
CVE-2024-50116, CVE-2024-50117, CVE-2024-50127, CVE-2024-50128,
CVE-2024-50131, CVE-2024-50134, CVE-2024-50141, CVE-2024-50142,
CVE-2024-50143, CVE-2024-50148, CVE-2024-50150, CVE-2024-50151,
CVE-2024-50153, CVE-2024-50154, CVE-2024-50156, CVE-2024-50160,
CVE-2024-50162, CVE-2024-50163, CVE-2024-50167, CVE-2024-50168,
CVE-2024-50171, CVE-2024-50182, CVE-2024-50185, CVE-2024-50192,
CVE-2024-50193, CVE-2024-50194, CVE-2024-50195, CVE-2024-50196,
CVE-2024-50198, CVE-2024-50199, CVE-2024-50201, CVE-2024-50202,
CVE-2024-50205, CVE-2024-50208, CVE-2024-50209, CVE-2024-50218,
CVE-2024-50229, CVE-2024-50230, CVE-2024-50232, CVE-2024-50233,
CVE-2024-50234, CVE-2024-50236, CVE-2024-50237, CVE-2024-50244,
CVE-2024-50245, CVE-2024-50247, CVE-2024-50249, CVE-2024-50251,
CVE-2024-50257, CVE-2024-50259, CVE-2024-50262, CVE-2024-50265,
CVE-2024-50267, CVE-2024-50268, CVE-2024-50269, CVE-2024-50273,
CVE-2024-50278, CVE-2024-50279, CVE-2024-50282, CVE-2024-50287,
CVE-2024-50290, CVE-2024-50292, CVE-2024-50295, CVE-2024-50296,
CVE-2024-50299, CVE-2024-50301, CVE-2024-50302, CVE-2024-53042,
CVE-2024-53052, CVE-2024-53055, CVE-2024-53058, CVE-2024-53059,
CVE-2024-53061, CVE-2024-53063, CVE-2024-53066, CVE-2024-53088,
CVE-2024-53097, CVE-2024-53101, CVE-2024-53104

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1081.90
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1081.90.1
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1060.68
https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1072.73
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1075.81