[USN-7358-1] PostgreSQL vulnerabilities
[USN-7354-1] djoser vulnerability
[USN-7357-1] Libxslt vulnerability
[USN-7360-1] Alpine vulnerabilities
[USN-7358-1] PostgreSQL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7358-1
March 19, 2025
postgresql-9.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-9.5: Object-relational SQL database
Details:
Wolfgang Walther discovered that PostgreSQL incorrectly tracked tables with
row security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered that PostgreSQL incorrectly handled environment
variables. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-10979)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
postgresql-9.5 9.5.25-0ubuntu0.16.04.1+esm10
Available with Ubuntu Pro
postgresql-client-9.5 9.5.25-0ubuntu0.16.04.1+esm10
Available with Ubuntu Pro
After a standard system update you need to restart PostgreSQL to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7358-1
CVE-2024-10976, CVE-2024-10977, CVE-2024-10978, CVE-2024-10979
[USN-7354-1] djoser vulnerability
==========================================================================
Ubuntu Security Notice USN-7354-1
March 17, 2025
djoser vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
djoser could be made to bypass authentication checks during login.
Software Description:
- djoser: REST implementation of Django authentication system
Details:
Diego Cebrián discovered that djoser did not properly handle user
authentication. An attacker with valid credentials could possibly
use this to bypass authentication checks, such as two-factor
authentication, to gain unintended access.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3-djoser 2.1.0-1ubuntu0.24.10.1
Ubuntu 24.04 LTS
python3-djoser 2.1.0-1ubuntu0.24.04.1
Ubuntu 22.04 LTS
python3-djoser 2.1.0-1ubuntu0.22.04.1
Ubuntu 20.04 LTS
python3-djoser 2.0.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7354-1
CVE-2024-21543
Package Information:
https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.22.04.1
[USN-7357-1] Libxslt vulnerability
==========================================================================
Ubuntu Security Notice USN-7357-1
March 19, 2025
libxslt vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Libxslt could be made to crash or run programs if it opened a specially
crafted file.
Software Description:
- libxslt: XSLT processing library
Details:
Ivan Fratric discovered that Libxslt incorrectly handled certain memory
operations when handling documents. A remote attacker could use this issue
to cause Libxslt to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libxslt1.1 1.1.39-0exp1ubuntu1.1
Ubuntu 24.04 LTS
libxslt1.1 1.1.39-0exp1ubuntu0.24.04.1
Ubuntu 22.04 LTS
libxslt1.1 1.1.34-4ubuntu0.22.04.2
Ubuntu 20.04 LTS
libxslt1.1 1.1.34-4ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7357-1
CVE-2024-55549
Package Information:
https://launchpad.net/ubuntu/+source/libxslt/1.1.39-0exp1ubuntu1.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.39-0exp1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.34-4ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/libxslt/1.1.34-4ubuntu0.20.04.2
[USN-7360-1] Alpine vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7360-1
March 20, 2025
alpine vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Alpine.
Software Description:
- alpine: Text-based email client, friendly for novices but powerful
Details:
It was discovered that Alpine did not use a secure connection under
certain circumstances. A remote attacker could possibly use this issue to
leak sensitive information. (CVE-2020-14929)
It was discovered that Alpine could allow untagged responses from an
IMAP server before upgrading to a TLS connection. A remote attacker could
possibly use this issue to leak sensitive information. (CVE-2021-38370)
It was discovered that Alpine could crash when receiving certain SMTP
commands. A remote attacker could possibly use this issue to cause a denial
of service. (CVE-2021-46853)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
alpine 2.22+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
alpine-pico 2.22+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
pilot 2.22+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
alpine 2.21+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
alpine-pico 2.21+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
pilot 2.21+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
alpine 2.20+dfsg1-2ubuntu0.1~esm1
Available with Ubuntu Pro
alpine-pico 2.20+dfsg1-2ubuntu0.1~esm1
Available with Ubuntu Pro
pilot 2.20+dfsg1-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7360-1
CVE-2020-14929, CVE-2021-38370, CVE-2021-46853
