Ubuntu 6614 Published by

Ubuntu Linux has received updates addressing multiple security vulnerabilities, including those related to PostgreSQL, HAProxy, Python, nginx, and ConfigObj:

[USN-6968-3] PostgreSQL vulnerability
[USN-7067-1] HAProxy vulnerability
[USN-7015-4] Python vulnerability
[USN-7014-3] nginx vulnerability
[USN-7040-2] ConfigObj vulnerability




[USN-6968-3] PostgreSQL vulnerability


==========================================================================
Ubuntu Security Notice USN-6968-3
October 14, 2024

postgresql-10, postgresql-9.3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 14.04 LTS

Summary:

PostgreSQL could execute arbitrary SQL functions as the superuser
if it received a specially crafted SQL object.

Software Description:
- postgresql-10: Object-relational SQL database
- postgresql-9.3: Object-relational SQL database

Details:

USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and
PostgreSQL-16.

This update provides the corresponding updates for PostgreSQL-9.3 in
Ubuntu 14.04 LTS and PostgreSQL-10 in Ubuntu 18.04 LTS.

Original advisory details:

Noah Misch discovered that PostgreSQL incorrectly handled certain
SQL objects. An attacker could possibly use this issue to execute
arbitrary SQL functions as the superuser.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
postgresql-10 10.23-0ubuntu0.18.04.2+esm2
Available with Ubuntu Pro
postgresql-client-10 10.23-0ubuntu0.18.04.2+esm2
Available with Ubuntu Pro

Ubuntu 14.04 LTS
postgresql-9.3 9.3.24-0ubuntu0.14.04+esm1
Available with Ubuntu Pro
postgresql-client-9.3 9.3.24-0ubuntu0.14.04+esm1
Available with Ubuntu Pro

After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6968-3
https://ubuntu.com/security/notices/USN-6968-2
https://ubuntu.com/security/notices/USN-6968-1
CVE-2024-7348



[USN-7067-1] HAProxy vulnerability


==========================================================================
Ubuntu Security Notice USN-7067-1
October 14, 2024

haproxy vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

HAProxy could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- haproxy: fast and reliable load balancing reverse proxy

Details:

It was discovered that HAProxy did not properly limit the creation of new
HTTP/2 streams. A remote attacker could possibly use this issue to cause
HAProxy to consume excessive resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
  haproxy                         1.8.8-1ubuntu0.13+esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7067-1
  CVE-2023-44487



[USN-7015-4] Python vulnerability


==========================================================================
Ubuntu Security Notice USN-7015-4
October 14, 2024

python2.7, python3.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Python could me made to bypass some restrictions if it received specially
crafted input.

Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language

Details:

USN-7015-1 fixed several vulnerabilities in Python. This update provides
the corresponding update for CVE-2023-27043 for python2.7 and python3.5 in
Ubuntu 14.04 LTS.

Original advisory details:

It was discovered that the Python email module incorrectly parsed email
addresses that contain special characters. A remote attacker could
possibly use this issue to bypass certain protection mechanisms.
(CVE-2023-27043)

It was discovered that Python allowed excessive backtracking while parsing
certain tarfile headers. A remote attacker could possibly use this issue
to cause Python to consume resources, leading to a denial of service.
(CVE-2024-6232)

It was discovered that the Python email module incorrectly quoted newlines
for email headers. A remote attacker could possibly use this issue to
perform header injection. (CVE-2024-6923)

It was discovered that the Python http.cookies module incorrectly handled
parsing cookies that contained backslashes for quoted characters. A remote
attacker could possibly use this issue to cause Python to consume
resources, leading to a denial of service. (CVE-2024-7592)

It was discovered that the Python zipfile module incorrectly handled
certain malformed zip files. A remote attacker could possibly use this
issue to cause Python to stop responding, resulting in a denial of
service. (CVE-2024-8088)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
python2.7 2.7.6-8ubuntu0.6+esm20
Available with Ubuntu Pro
python2.7-minimal 2.7.6-8ubuntu0.6+esm20
Available with Ubuntu Pro
python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm3
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7015-4
https://ubuntu.com/security/notices/USN-7015-3
https://ubuntu.com/security/notices/USN-7015-2
https://ubuntu.com/security/notices/USN-7015-1
CVE-2023-27043



[USN-7014-3] nginx vulnerability


==========================================================================
Ubuntu Security Notice USN-7014-3
October 14, 2024

nginx vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

nginx could be made to crash if it received specially crafted network
traffic.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

USN-7014-1 fixed a vulnerability in nginx. This update
provides the corresponding update for Ubuntu 14.04 LTS.

Original advisory details:

  It was discovered that the nginx ngx_http_mp4 module incorrectly handled
  certain malformed mp4 files. In environments where the mp4 directive
is in
  use, a remote attacker could possibly use this issue to cause nginx to
  crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
   nginx                           1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro
   nginx-common                    1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro
   nginx-core                      1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro
   nginx-extras                    1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro
   nginx-full                      1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro
   nginx-light                     1.4.6-1ubuntu3.9+esm5
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7014-3
   https://ubuntu.com/security/notices/USN-7014-2
   https://ubuntu.com/security/notices/USN-7014-1
   CVE-2024-7347



[USN-7040-2] ConfigObj vulnerability


==========================================================================
Ubuntu Security Notice USN-7040-2
October 14, 2024

configobj vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

ConfigObj could be made to crash if it received specially crafted input.

Software Description:
- configobj: simple but powerful config file reader and writer for Python

Details:

USN-7040-1 fixed a vulnerability in ConfigObj. This update
provides the corresponding update for Ubuntu 14.04 LTS.

Original advisory details:

 It was discovered that ConfigObj contains regex that is susceptible to
 catastrophic backtracking. An attacker could possibly use this issue to
 cause a regular expression denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
  python-configobj                4.7.2+ds-5ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7040-2
  https://ubuntu.com/security/notices/USN-7040-1
  CVE-2023-26112