[USN-6560-3] OpenSSH vulnerability
[USN-7013-1] Dovecot vulnerabilities
[USN-7011-1] ClamAV vulnerabilities
[USN-7015-1] Python vulnerabilities
[USN-7014-1] nginx vulnerability
[USN-7012-1] curl vulnerability
[USN-6560-3] OpenSSH vulnerability
=========================================================================
Ubuntu Security Notice USN-6560-3
September 16, 2024
openssh vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
OpenSSH could be made to crash or run programs as your login
if it received a specially crafted input.
Software Description:
- openssh: secure shell (SSH) for secure access to remote machines
Details:
USN-6560-2 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 16.04 LTS.
Original advisory details:
It was discovered that OpenSSH incorrectly handled user names or host
names with shell metacharacters. An attacker could possibly use this
issue to perform OS command injection.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
openssh-client 1:7.2p2-4ubuntu2.10+esm6
Available with Ubuntu Pro
openssh-server 1:7.2p2-4ubuntu2.10+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6560-3
https://ubuntu.com/security/notices/USN-6560-2
https://ubuntu.com/security/notices/USN-6560-1
CVE-2023-51385
[USN-7013-1] Dovecot vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7013-1
September 16, 2024
dovecot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Dovecot.
Software Description:
- dovecot: IMAP and POP3 email server
Details:
It was discovered that Dovecot incorrectly handled a large number of
address headers. A remote attacker could possibly use this issue to cause
Dovecot to consume resources, leading to a denial of service.
(CVE-2024-23184)
It was discovered that Dovecot incorrectly handled very large headers. A
remote attacker could possibly use this issue to cause Dovecot to consume
resources, leading to a denial of service. (CVE-2024-23185)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
dovecot-core 1:2.3.16+dfsg1-3ubuntu2.4
Ubuntu 20.04 LTS
dovecot-core 1:2.3.7.2-1ubuntu3.7
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7013-1
CVE-2024-23184, CVE-2024-23185
Package Information:
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.16+dfsg1-3ubuntu2.4
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.7.2-1ubuntu3.7
[USN-7011-1] ClamAV vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7011-1
September 16, 2024
clamav vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in ClamAV.
Software Description:
- clamav: Anti-virus utility for Unix
Details:
It was discovered that ClamAV incorrectly handled certain PDF files. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2024-20505)
It was discovered that ClamAV incorrectly handled logfile privileges. A
local attacker could use this issue to cause ClamAV to overwrite arbitrary
files, possibly leading to privilege escalation. (CVE-2024-20506)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
clamav 1.0.7+dfsg-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
clamav 0.103.12+dfsg-0ubuntu0.22.04.1
Ubuntu 20.04 LTS
clamav 0.103.12+dfsg-0ubuntu0.20.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-7011-1
CVE-2024-20505, CVE-2024-20506
Package Information:
https://launchpad.net/ubuntu/+source/clamav/1.0.7+dfsg-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/clamav/0.103.12+dfsg-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/clamav/0.103.12+dfsg-0ubuntu0.20.04.1
[USN-7015-1] Python vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7015-1
September 16, 2024
python3.10, python3.12, python3.8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python3.12: An interactive high-level object-oriented language
- python3.10: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language
Details:
It was discovered that the Python email module incorrectly parsed email
addresses that contain special characters. A remote attacker could possibly
use this issue to bypass certain protection mechanisms. (CVE-2023-27043)
It was discovered that Python allowed excessive backtracking while parsing
certain tarfile headers. A remote attacker could possibly use this issue to
cause Python to consume resources, leading to a denial of service.
(CVE-2024-6232)
It was discovered that the Python email module incorrectly quoted newlines
for email headers. A remote attacker could possibly use this issue to
perform header injection. (CVE-2024-6923)
It was discovered that the Python http.cookies module incorrectly handled
parsing cookies that contained backslashes for quoted characters. A remote
attacker could possibly use this issue to cause Python to consume
resources, leading to a denial of service. (CVE-2024-7592)
It was discovered that the Python zipfile module incorrectly handled
certain malformed zip files. A remote attacker could possibly use this
issue to cause Python to stop responding, resulting in a denial of service.
(CVE-2024-8088)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3.12 3.12.3-1ubuntu0.2
python3.12-minimal 3.12.3-1ubuntu0.2
Ubuntu 22.04 LTS
python3.10 3.10.12-1~22.04.6
python3.10-minimal 3.10.12-1~22.04.6
Ubuntu 20.04 LTS
python3.8 3.8.10-0ubuntu1~20.04.12
python3.8-minimal 3.8.10-0ubuntu1~20.04.12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7015-1
CVE-2023-27043, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592,
CVE-2024-8088
Package Information:
https://launchpad.net/ubuntu/+source/python3.12/3.12.3-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python3.10/3.10.12-1~22.04.6
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.12
[USN-7014-1] nginx vulnerability
==========================================================================
Ubuntu Security Notice USN-7014-1
September 16, 2024
nginx vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
nginx could be made to crash if it received specially crafted network
traffic.
Software Description:
- nginx: small, powerful, scalable web/proxy server
Details:
It was discovered that the nginx ngx_http_mp4 module incorrectly handled
certain malformed mp4 files. In environments where the mp4 directive is in
use, a remote attacker could possibly use this issue to cause nginx to
crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
nginx 1.24.0-2ubuntu7.1
nginx-common 1.24.0-2ubuntu7.1
nginx-core 1.24.0-2ubuntu7.1
nginx-extras 1.24.0-2ubuntu7.1
nginx-full 1.24.0-2ubuntu7.1
nginx-light 1.24.0-2ubuntu7.1
Ubuntu 22.04 LTS
nginx 1.18.0-6ubuntu14.5
nginx-common 1.18.0-6ubuntu14.5
nginx-core 1.18.0-6ubuntu14.5
nginx-extras 1.18.0-6ubuntu14.5
nginx-full 1.18.0-6ubuntu14.5
nginx-light 1.18.0-6ubuntu14.5
Ubuntu 20.04 LTS
nginx 1.18.0-0ubuntu1.6
nginx-common 1.18.0-0ubuntu1.6
nginx-core 1.18.0-0ubuntu1.6
nginx-extras 1.18.0-0ubuntu1.6
nginx-full 1.18.0-0ubuntu1.6
nginx-light 1.18.0-0ubuntu1.6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7014-1
CVE-2024-7347
Package Information:
https://launchpad.net/ubuntu/+source/nginx/1.24.0-2ubuntu7.1
https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.5
https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.6
[USN-7012-1] curl vulnerability
==========================================================================
Ubuntu Security Notice USN-7012-1
September 16, 2024
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
curl could incorrectly check bad certificates when OCSP stapling is in use.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Hiroki Kurosawa discovered that curl incorrectly handled certain OCSP
responses. This could result in bad certificates not being checked
properly, contrary to expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.4
libcurl3t64-gnutls 8.5.0-2ubuntu10.4
libcurl4t64 8.5.0-2ubuntu10.4
Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.18
libcurl3-gnutls 7.81.0-1ubuntu1.18
libcurl3-nss 7.81.0-1ubuntu1.18
libcurl4 7.81.0-1ubuntu1.18
Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.24
libcurl3-gnutls 7.68.0-1ubuntu2.24
libcurl3-nss 7.68.0-1ubuntu2.24
libcurl4 7.68.0-1ubuntu2.24
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7012-1
CVE-2024-8096
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.4
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.18
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.24
