Ubuntu 6614 Published by

Ubuntu Linux has received updates addressing various security vulnerabilities, including those related to Python, IoT, Kernel, needrestart, and waitress:

[USN-7116-1] Python vulnerability
[USN-7015-5] Python vulnerabilities
[USN-7120-1] Linux kernel vulnerabilities
[USN-7119-1] Linux kernel (IoT) vulnerabilities
[USN-7122-1] Linux kernel vulnerability
[USN-7089-7] Linux kernel (Low Latency) vulnerabilities
[USN-7121-1] Linux kernel vulnerabilities
[USN-7117-1] needrestart and Module::ScanDeps vulnerabilities
[USN-7115-1] Waitress vulnerabilities




[USN-7116-1] Python vulnerability


==========================================================================
Ubuntu Security Notice USN-7116-1
November 19, 2024

python3.10, python3.12, python3.8 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Python could be made to run programs when activating virtual environments.

Software Description:
- python3.12: An interactive high-level object-oriented language
- python3.10: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language

Details:

It was discovered that Python incorrectly handled quoting path names when
using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code when
the virtual environment is activated.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
python3.12 3.12.7-1ubuntu1
python3.12-minimal 3.12.7-1ubuntu1

Ubuntu 24.04 LTS
python3.12 3.12.3-1ubuntu0.3
python3.12-minimal 3.12.3-1ubuntu0.3

Ubuntu 22.04 LTS
python3.10 3.10.12-1~22.04.7
python3.10-minimal 3.10.12-1~22.04.7

Ubuntu 20.04 LTS
python3.8 3.8.10-0ubuntu1~20.04.13
python3.8-minimal 3.8.10-0ubuntu1~20.04.13

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7116-1
CVE-2024-9287

Package Information:
https://launchpad.net/ubuntu/+source/python3.12/3.12.7-1ubuntu1
https://launchpad.net/ubuntu/+source/python3.12/3.12.3-1ubuntu0.3
https://launchpad.net/ubuntu/+source/python3.10/3.10.12-1~22.04.7
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.13



[USN-7015-5] Python vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7015-5
November 19, 2024

python2.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:
- python2.7: An interactive high-level object-oriented language

Details:

USN-7015-1 fixed several vulnerabilities in Python. This update provides
the corresponding update for CVE-2024-6232 and CVE-2024-6923 for python2.7
in Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS.

Original advisory details:

It was discovered that the Python email module incorrectly parsed email
addresses that contain special characters. A remote attacker could
possibly use this issue to bypass certain protection mechanisms.
(CVE-2023-27043)

It was discovered that Python allowed excessive backtracking while parsing
certain tarfile headers. A remote attacker could possibly use this issue
to cause Python to consume resources, leading to a denial of service.
(CVE-2024-6232)

It was discovered that the Python email module incorrectly quoted newlines
for email headers. A remote attacker could possibly use this issue to
perform header injection. (CVE-2024-6923)

It was discovered that the Python http.cookies module incorrectly handled
parsing cookies that contained backslashes for quoted characters. A remote
attacker could possibly use this issue to cause Python to consume
resources, leading to a denial of service. (CVE-2024-7592)

It was discovered that the Python zipfile module incorrectly handled
certain malformed zip files. A remote attacker could possibly use this
issue to cause Python to stop responding, resulting in a denial of
service. (CVE-2024-8088)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
python2.7 2.7.18-13ubuntu1.3
python2.7-minimal 2.7.18-13ubuntu1.3

Ubuntu 20.04 LTS
python2.7 2.7.18-1~20.04.5
python2.7-minimal 2.7.18-1~20.04.5

Ubuntu 18.04 LTS
python2.7 2.7.17-1~18.04ubuntu1.13+esm7
Available with Ubuntu Pro
python2.7-minimal 2.7.17-1~18.04ubuntu1.13+esm7
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python2.7 2.7.12-1ubuntu0~16.04.18+esm12
Available with Ubuntu Pro
python2.7-minimal 2.7.12-1ubuntu0~16.04.18+esm12
Available with Ubuntu Pro

Ubuntu 14.04 LTS
python2.7 2.7.6-8ubuntu0.6+esm21
Available with Ubuntu Pro
python2.7-minimal 2.7.6-8ubuntu0.6+esm21
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7015-5
https://ubuntu.com/security/notices/USN-7015-4
https://ubuntu.com/security/notices/USN-7015-3
https://ubuntu.com/security/notices/USN-7015-2
https://ubuntu.com/security/notices/USN-7015-1
CVE-2024-6232, CVE-2024-6923

Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.18-13ubuntu1.3
https://launchpad.net/ubuntu/+source/python2.7/2.7.18-1~20.04.5



[USN-7120-1] Linux kernel vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7120-1
November 19, 2024

linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-hwe-6.8,
linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency,
linux-oem-6.8, linux-oracle, linux-raspi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-nvidia: Linux kernel for NVIDIA systems
- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems
- linux-oem-6.8: Linux kernel for OEM systems
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-gcp-6.8: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-6.8: Linux hardware enablement (HWE) kernel
- linux-nvidia-6.8: Linux kernel for NVIDIA systems

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- File systems infrastructure;
- Network traffic control;
(CVE-2024-46800, CVE-2024-43882)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
linux-image-6.8.0-1014-gke 6.8.0-1014.18
linux-image-6.8.0-1015-raspi 6.8.0-1015.17
linux-image-6.8.0-1016-ibm 6.8.0-1016.16
linux-image-6.8.0-1016-oracle 6.8.0-1016.17
linux-image-6.8.0-1016-oracle-64k 6.8.0-1016.17
linux-image-6.8.0-1017-oem 6.8.0-1017.17
linux-image-6.8.0-1018-gcp 6.8.0-1018.20
linux-image-6.8.0-1018-nvidia 6.8.0-1018.20
linux-image-6.8.0-1018-nvidia-64k 6.8.0-1018.20
linux-image-6.8.0-1018-nvidia-lowlatency 6.8.0-1018.20.1
linux-image-6.8.0-1018-nvidia-lowlatency-64k 6.8.0-1018.20.1
linux-image-6.8.0-1019-aws 6.8.0-1019.21
linux-image-6.8.0-49-generic 6.8.0-49.49
linux-image-6.8.0-49-generic-64k 6.8.0-49.49
linux-image-aws 6.8.0-1019.21
linux-image-gcp 6.8.0-1018.20
linux-image-generic 6.8.0-49.49
linux-image-generic-64k 6.8.0-49.49
linux-image-generic-64k-hwe-24.04 6.8.0-49.49
linux-image-generic-hwe-24.04 6.8.0-49.49
linux-image-generic-lpae 6.8.0-49.49
linux-image-gke 6.8.0-1014.18
linux-image-ibm 6.8.0-1016.16
linux-image-ibm-classic 6.8.0-1016.16
linux-image-ibm-lts-24.04 6.8.0-1016.16
linux-image-kvm 6.8.0-49.49
linux-image-nvidia 6.8.0-1018.20
linux-image-nvidia-64k 6.8.0-1018.20
linux-image-nvidia-lowlatency 6.8.0-1018.20.1
linux-image-nvidia-lowlatency-64k 6.8.0-1018.20.1
linux-image-oem-24.04 6.8.0-1017.17
linux-image-oem-24.04a 6.8.0-1017.17
linux-image-oracle 6.8.0-1016.17
linux-image-oracle-64k 6.8.0-1016.17
linux-image-raspi 6.8.0-1015.17
linux-image-virtual 6.8.0-49.49
linux-image-virtual-hwe-24.04 6.8.0-49.49

Ubuntu 22.04 LTS
linux-image-6.8.0-1018-gcp 6.8.0-1018.20~22.04.1
linux-image-6.8.0-1018-nvidia 6.8.0-1018.20~22.04.1
linux-image-6.8.0-1018-nvidia-64k 6.8.0-1018.20~22.04.1
linux-image-6.8.0-49-generic 6.8.0-49.49~22.04.1
linux-image-6.8.0-49-generic-64k 6.8.0-49.49~22.04.1
linux-image-gcp 6.8.0-1018.20~22.04.1
linux-image-generic-64k-hwe-22.04 6.8.0-49.49~22.04.1
linux-image-generic-hwe-22.04 6.8.0-49.49~22.04.1
linux-image-nvidia-6.8 6.8.0-1018.20~22.04.1
linux-image-nvidia-64k-6.8 6.8.0-1018.20~22.04.1
linux-image-nvidia-64k-hwe-22.04 6.8.0-1018.20~22.04.1
linux-image-nvidia-hwe-22.04 6.8.0-1018.20~22.04.1
linux-image-oem-22.04 6.8.0-49.49~22.04.1
linux-image-oem-22.04a 6.8.0-49.49~22.04.1
linux-image-oem-22.04b 6.8.0-49.49~22.04.1
linux-image-oem-22.04c 6.8.0-49.49~22.04.1
linux-image-oem-22.04d 6.8.0-49.49~22.04.1
linux-image-virtual-hwe-22.04 6.8.0-49.49~22.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7120-1
CVE-2024-43882, CVE-2024-46800

Package Information:
https://launchpad.net/ubuntu/+source/linux/6.8.0-49.49
https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1019.21
https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1018.20
https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1014.18
https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1016.16
https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1018.20
https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1018.20.1
https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1017.17
https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1016.17
https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1015.17
https://launchpad.net/ubuntu/+source/linux-gcp-6.8/6.8.0-1018.20~22.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-6.8/6.8.0-49.49~22.04.1
https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1018.20~22.04.1



[USN-7119-1] Linux kernel (IoT) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7119-1
November 19, 2024

linux-iot vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-iot: Linux kernel for IoT platforms

Details:

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an integer overflow vulnerability. A local attacker could
use this to cause a denial of service (system crash). (CVE-2022-36402)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- PowerPC architecture;
- User-Mode Linux (UML);
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- Android drivers;
- Serial ATA and Parallel ATA drivers;
- ATM drivers;
- Drivers core;
- CPU frequency scaling framework;
- Device frequency scaling framework;
- GPU drivers;
- HID subsystem;
- Hardware monitoring drivers;
- InfiniBand drivers;
- Input Device core drivers;
- Input Device (Miscellaneous) drivers;
- IOMMU subsystem;
- IRQ chip drivers;
- ISDN/mISDN subsystem;
- Modular ISDN driver;
- LED subsystem;
- Multiple devices driver;
- Media drivers;
- EEPROM drivers;
- VMware VMCI Driver;
- MMC subsystem;
- Network drivers;
- Near Field Communication (NFC) drivers;
- NVME drivers;
- Device tree and open firmware driver;
- Parport drivers;
- PCI subsystem;
- Pin controllers subsystem;
- Remote Processor subsystem;
- S/390 drivers;
- SCSI drivers;
- QCOM SoC drivers;
- Direct Digital Synthesis drivers;
- TTY drivers;
- Userspace I/O drivers;
- DesignWare USB3 driver;
- USB Gadget drivers;
- USB Host Controller drivers;
- USB Serial drivers;
- USB Type-C Connector System Software Interface driver;
- USB over IP driver;
- Watchdog drivers;
- BTRFS file system;
- File systems infrastructure;
- Ext4 file system;
- F2FS file system;
- GFS2 file system;
- JFS file system;
- NILFS2 file system;
- Netfilter;
- BPF subsystem;
- Core kernel;
- DMA mapping infrastructure;
- Tracing infrastructure;
- Radix Tree data structure library;
- Kernel userspace event delivery library;
- Objagg library;
- Memory management;
- Amateur Radio drivers;
- Bluetooth subsystem;
- CAN network layer;
- Networking core;
- Ethtool driver;
- IPv4 networking;
- IPv6 networking;
- IUCV driver;
- KCM (Kernel Connection Multiplexor) sockets driver;
- MAC80211 subsystem;
- RxRPC session sockets;
- Network traffic control;
- SCTP protocol;
- Sun RPC protocol;
- TIPC protocol;
- TLS protocol;
- Wireless networking;
- AppArmor security module;
- Integrity Measurement Architecture(IMA) framework;
- Simplified Mandatory Access Control Kernel framework;
- SoC audio core drivers;
- USB sound devices;
(CVE-2024-46750, CVE-2024-43853, CVE-2024-46722, CVE-2024-42311,
CVE-2024-46679, CVE-2023-52918, CVE-2024-42309, CVE-2024-42160,
CVE-2024-26668, CVE-2024-42271, CVE-2024-40929, CVE-2024-46747,
CVE-2024-41064, CVE-2024-43839, CVE-2024-46757, CVE-2024-41059,
CVE-2024-42301, CVE-2024-46737, CVE-2024-42297, CVE-2024-41015,
CVE-2024-43854, CVE-2024-42289, CVE-2024-41017, CVE-2024-26787,
CVE-2024-47667, CVE-2024-46675, CVE-2024-42246, CVE-2024-46723,
CVE-2024-46817, CVE-2024-43841, CVE-2024-26800, CVE-2024-41098,
CVE-2022-48863, CVE-2023-52531, CVE-2024-42265, CVE-2024-46828,
CVE-2024-41020, CVE-2024-42305, CVE-2024-46755, CVE-2024-46744,
CVE-2024-43871, CVE-2024-43884, CVE-2024-41042, CVE-2024-43914,
CVE-2024-43856, CVE-2024-27397, CVE-2024-26607, CVE-2024-42228,
CVE-2024-41091, CVE-2024-26677, CVE-2024-38611, CVE-2024-43867,
CVE-2024-46829, CVE-2021-47188, CVE-2024-46756, CVE-2024-45025,
CVE-2024-42313, CVE-2024-44947, CVE-2024-26669, CVE-2024-47668,
CVE-2024-44987, CVE-2024-42295, CVE-2024-42281, CVE-2024-43880,
CVE-2024-46777, CVE-2024-46780, CVE-2024-42285, CVE-2024-26891,
CVE-2024-46714, CVE-2024-44999, CVE-2024-41068, CVE-2024-44944,
CVE-2024-43882, CVE-2024-27051, CVE-2024-41072, CVE-2024-46783,
CVE-2024-46781, CVE-2024-26885, CVE-2024-46844, CVE-2024-47669,
CVE-2024-45008, CVE-2024-46758, CVE-2024-44954, CVE-2024-45021,
CVE-2024-42304, CVE-2024-41081, CVE-2024-46798, CVE-2024-43890,
CVE-2024-46840, CVE-2024-44960, CVE-2024-41012, CVE-2022-48791,
CVE-2024-43908, CVE-2024-46721, CVE-2024-43829, CVE-2024-41073,
CVE-2024-42306, CVE-2024-46745, CVE-2024-43858, CVE-2024-47663,
CVE-2024-46782, CVE-2024-42244, CVE-2024-41090, CVE-2024-38602,
CVE-2024-45003, CVE-2024-35848, CVE-2024-43883, CVE-2024-46677,
CVE-2024-42280, CVE-2024-43846, CVE-2024-47659, CVE-2024-44965,
CVE-2024-43893, CVE-2024-26960, CVE-2024-46676, CVE-2024-45016,
CVE-2024-46689, CVE-2024-44998, CVE-2024-44995, CVE-2024-41022,
CVE-2024-45026, CVE-2024-46739, CVE-2024-43830, CVE-2024-42286,
CVE-2024-26640, CVE-2024-27012, CVE-2024-45006, CVE-2024-42276,
CVE-2024-46818, CVE-2024-39494, CVE-2024-43860, CVE-2024-41070,
CVE-2023-52614, CVE-2024-42283, CVE-2024-44969, CVE-2024-42229,
CVE-2024-46740, CVE-2024-44948, CVE-2024-46822, CVE-2024-46738,
CVE-2024-36484, CVE-2024-41065, CVE-2024-46685, CVE-2024-44935,
CVE-2024-46759, CVE-2024-42292, CVE-2024-43879, CVE-2024-42287,
CVE-2024-42288, CVE-2024-41063, CVE-2024-41011, CVE-2024-44946,
CVE-2024-42290, CVE-2024-38570, CVE-2024-42310, CVE-2024-46743,
CVE-2024-43861, CVE-2024-42131, CVE-2021-47212, CVE-2024-46719,
CVE-2024-46815, CVE-2024-26641, CVE-2024-43894, CVE-2024-44988,
CVE-2024-42259, CVE-2024-46771, CVE-2024-46673, CVE-2024-45028,
CVE-2024-46761, CVE-2024-41071, CVE-2024-38630, CVE-2024-43835,
CVE-2024-46800, CVE-2024-42284)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1044-iot 5.4.0-1044.45

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7119-1
CVE-2021-47188, CVE-2021-47212, CVE-2022-36402, CVE-2022-48791,
CVE-2022-48863, CVE-2023-52531, CVE-2023-52614, CVE-2023-52918,
CVE-2024-26607, CVE-2024-26640, CVE-2024-26641, CVE-2024-26668,
CVE-2024-26669, CVE-2024-26677, CVE-2024-26787, CVE-2024-26800,
CVE-2024-26885, CVE-2024-26891, CVE-2024-26960, CVE-2024-27012,
CVE-2024-27051, CVE-2024-27397, CVE-2024-35848, CVE-2024-36484,
CVE-2024-38570, CVE-2024-38602, CVE-2024-38611, CVE-2024-38630,
CVE-2024-39494, CVE-2024-40929, CVE-2024-41011, CVE-2024-41012,
CVE-2024-41015, CVE-2024-41017, CVE-2024-41020, CVE-2024-41022,
CVE-2024-41042, CVE-2024-41059, CVE-2024-41063, CVE-2024-41064,
CVE-2024-41065, CVE-2024-41068, CVE-2024-41070, CVE-2024-41071,
CVE-2024-41072, CVE-2024-41073, CVE-2024-41081, CVE-2024-41090,
CVE-2024-41091, CVE-2024-41098, CVE-2024-42131, CVE-2024-42160,
CVE-2024-42228, CVE-2024-42229, CVE-2024-42244, CVE-2024-42246,
CVE-2024-42259, CVE-2024-42265, CVE-2024-42271, CVE-2024-42276,
CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,
CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,
CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,
CVE-2024-42297, CVE-2024-42301, CVE-2024-42304, CVE-2024-42305,
CVE-2024-42306, CVE-2024-42309, CVE-2024-42310, CVE-2024-42311,
CVE-2024-42313, CVE-2024-43829, CVE-2024-43830, CVE-2024-43835,
CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43853,
CVE-2024-43854, CVE-2024-43856, CVE-2024-43858, CVE-2024-43860,
CVE-2024-43861, CVE-2024-43867, CVE-2024-43871, CVE-2024-43879,
CVE-2024-43880, CVE-2024-43882, CVE-2024-43883, CVE-2024-43884,
CVE-2024-43890, CVE-2024-43893, CVE-2024-43894, CVE-2024-43908,
CVE-2024-43914, CVE-2024-44935, CVE-2024-44944, CVE-2024-44946,
CVE-2024-44947, CVE-2024-44948, CVE-2024-44954, CVE-2024-44960,
CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,
CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,
CVE-2024-45006, CVE-2024-45008, CVE-2024-45016, CVE-2024-45021,
CVE-2024-45025, CVE-2024-45026, CVE-2024-45028, CVE-2024-46673,
CVE-2024-46675, CVE-2024-46676, CVE-2024-46677, CVE-2024-46679,
CVE-2024-46685, CVE-2024-46689, CVE-2024-46714, CVE-2024-46719,
CVE-2024-46721, CVE-2024-46722, CVE-2024-46723, CVE-2024-46737,
CVE-2024-46738, CVE-2024-46739, CVE-2024-46740, CVE-2024-46743,
CVE-2024-46744, CVE-2024-46745, CVE-2024-46747, CVE-2024-46750,
CVE-2024-46755, CVE-2024-46756, CVE-2024-46757, CVE-2024-46758,
CVE-2024-46759, CVE-2024-46761, CVE-2024-46771, CVE-2024-46777,
CVE-2024-46780, CVE-2024-46781, CVE-2024-46782, CVE-2024-46783,
CVE-2024-46798, CVE-2024-46800, CVE-2024-46815, CVE-2024-46817,
CVE-2024-46818, CVE-2024-46822, CVE-2024-46828, CVE-2024-46829,
CVE-2024-46840, CVE-2024-46844, CVE-2024-47659, CVE-2024-47663,
CVE-2024-47667, CVE-2024-47668, CVE-2024-47669

Package Information:
https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1044.45



[USN-7122-1] Linux kernel vulnerability


==========================================================================
Ubuntu Security Notice USN-7122-1
November 19, 2024

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

The system could be made to crash under certain conditions.

Software Description:
- linux: Linux kernel

Details:

A security issue was discovered in the Linux kernel.
An attacker could possibly use this to compromise the system.
This update corrects flaws in the following subsystems:
- x86 architecture;

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
linux-image-3.13.0-200-generic 3.13.0-200.251
Available with Ubuntu Pro
linux-image-3.13.0-200-lowlatency 3.13.0-200.251
Available with Ubuntu Pro
linux-image-generic 3.13.0.200.210
Available with Ubuntu Pro
linux-image-generic-lts-trusty 3.13.0.200.210
Available with Ubuntu Pro
linux-image-lowlatency 3.13.0.200.210
Available with Ubuntu Pro
linux-image-server 3.13.0.200.210
Available with Ubuntu Pro
linux-image-virtual 3.13.0.200.210
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7122-1
CVE-2022-48943



[USN-7089-7] Linux kernel (Low Latency) vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7089-7
November 19, 2024

linux-lowlatency, linux-lowlatency-hwe-6.8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-lowlatency: Linux low latency kernel
- linux-lowlatency-hwe-6.8: Linux low latency kernel

Details:

Chenyuan Yang discovered that the USB Gadget subsystem in the Linux
kernel did not properly check for the device to be enabled before
writing. A local attacker could possibly use this to cause a denial of
service. (CVE-2024-25741)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM32 architecture;
- MIPS architecture;
- PA-RISC architecture;
- PowerPC architecture;
- RISC-V architecture;
- S390 architecture;
- x86 architecture;
- Cryptographic API;
- Serial ATA and Parallel ATA drivers;
- Null block device driver;
- Bluetooth drivers;
- Cdrom driver;
- Clock framework and drivers;
- Hardware crypto device drivers;
- CXL (Compute Express Link) drivers;
- Cirrus firmware drivers;
- GPIO subsystem;
- GPU drivers;
- I2C subsystem;
- IIO subsystem;
- InfiniBand drivers;
- ISDN/mISDN subsystem;
- LED subsystem;
- Multiple devices driver;
- Media drivers;
- Fastrpc Driver;
- Network drivers;
- Microsoft Azure Network Adapter (MANA) driver;
- Near Field Communication (NFC) drivers;
- NVME drivers;
- NVMEM (Non Volatile Memory) drivers;
- PCI subsystem;
- Pin controllers subsystem;
- x86 platform drivers;
- S/390 drivers;
- SCSI drivers;
- Thermal drivers;
- TTY drivers;
- UFS subsystem;
- USB DSL drivers;
- USB core drivers;
- DesignWare USB3 driver;
- USB Gadget drivers;
- USB Serial drivers;
- VFIO drivers;
- VHOST drivers;
- File systems infrastructure;
- BTRFS file system;
- GFS2 file system;
- JFFS2 file system;
- JFS file system;
- Network file systems library;
- Network file system client;
- NILFS2 file system;
- NTFS3 file system;
- SMB network file system;
- Memory management;
- Netfilter;
- Tracing infrastructure;
- io_uring subsystem;
- BPF subsystem;
- Core kernel;
- Bluetooth subsystem;
- CAN network layer;
- Ceph Core library;
- Networking core;
- IPv4 networking;
- IPv6 networking;
- IUCV driver;
- MAC80211 subsystem;
- Network traffic control;
- Sun RPC protocol;
- Wireless networking;
- AMD SoC Alsa drivers;
- SoC Audio for Freescale CPUs drivers;
- MediaTek ASoC drivers;
- SoC audio core drivers;
- SOF drivers;
- Sound sequencer drivers;
(CVE-2024-42104, CVE-2024-42084, CVE-2024-42252, CVE-2024-41096,
CVE-2024-42237, CVE-2024-42140, CVE-2024-42150, CVE-2024-41031,
CVE-2024-41059, CVE-2024-41062, CVE-2024-41051, CVE-2024-41028,
CVE-2024-41090, CVE-2024-41092, CVE-2024-43855, CVE-2024-41021,
CVE-2024-42229, CVE-2024-41056, CVE-2024-41048, CVE-2024-41036,
CVE-2024-42094, CVE-2024-41089, CVE-2024-41068, CVE-2024-41039,
CVE-2024-41095, CVE-2024-41069, CVE-2024-42234, CVE-2024-42136,
CVE-2024-41025, CVE-2024-42157, CVE-2024-42248, CVE-2024-42087,
CVE-2024-41041, CVE-2024-42230, CVE-2024-42151, CVE-2024-42130,
CVE-2024-42244, CVE-2024-41079, CVE-2024-42253, CVE-2024-42092,
CVE-2024-41022, CVE-2024-42137, CVE-2024-42132, CVE-2024-42108,
CVE-2024-42155, CVE-2024-42127, CVE-2024-41060, CVE-2024-42074,
CVE-2024-41081, CVE-2024-42066, CVE-2024-42098, CVE-2024-42082,
CVE-2024-42093, CVE-2024-42245, CVE-2024-41072, CVE-2024-41052,
CVE-2024-42161, CVE-2024-42096, CVE-2024-42115, CVE-2024-41074,
CVE-2024-42120, CVE-2024-41046, CVE-2024-42239, CVE-2024-41063,
CVE-2024-42090, CVE-2024-41023, CVE-2024-42069, CVE-2024-41087,
CVE-2024-42158, CVE-2024-41067, CVE-2024-41084, CVE-2024-41077,
CVE-2024-42240, CVE-2024-42145, CVE-2024-42102, CVE-2024-41020,
CVE-2024-42231, CVE-2024-41053, CVE-2024-42131, CVE-2024-42089,
CVE-2024-41083, CVE-2024-42247, CVE-2024-42105, CVE-2024-41044,
CVE-2024-42128, CVE-2024-42271, CVE-2024-41037, CVE-2024-42114,
CVE-2024-42106, CVE-2024-41076, CVE-2024-42088, CVE-2024-41057,
CVE-2024-41091, CVE-2024-42152, CVE-2024-41070, CVE-2024-41035,
CVE-2024-41050, CVE-2024-39487, CVE-2024-42113, CVE-2024-42250,
CVE-2024-41047, CVE-2024-42149, CVE-2024-42079, CVE-2024-42091,
CVE-2024-42227, CVE-2024-42095, CVE-2024-42109, CVE-2024-41033,
CVE-2023-52888, CVE-2024-41061, CVE-2024-42223, CVE-2024-42235,
CVE-2024-41086, CVE-2024-42133, CVE-2024-41082, CVE-2024-41071,
CVE-2024-41007, CVE-2023-52887, CVE-2024-39486, CVE-2024-41075,
CVE-2024-42101, CVE-2024-42077, CVE-2024-41042, CVE-2024-42225,
CVE-2024-42126, CVE-2024-41094, CVE-2024-41085, CVE-2024-41019,
CVE-2024-41058, CVE-2024-41066, CVE-2024-42156, CVE-2024-42119,
CVE-2024-41032, CVE-2024-41088, CVE-2024-42100, CVE-2024-42142,
CVE-2024-41054, CVE-2024-42103, CVE-2024-42124, CVE-2024-41034,
CVE-2024-42251, CVE-2024-42153, CVE-2024-41045, CVE-2024-42086,
CVE-2024-42243, CVE-2024-41055, CVE-2024-41078, CVE-2024-42117,
CVE-2024-41030, CVE-2024-42068, CVE-2024-42110, CVE-2024-42147,
CVE-2024-42121, CVE-2024-41080, CVE-2024-41027, CVE-2024-43858,
CVE-2024-42085, CVE-2024-42111, CVE-2024-42238, CVE-2024-41018,
CVE-2024-42138, CVE-2024-41038, CVE-2024-42070, CVE-2024-42141,
CVE-2024-41098, CVE-2024-42118, CVE-2024-41073, CVE-2024-42144,
CVE-2024-42280, CVE-2024-41049, CVE-2024-42076, CVE-2024-41065,
CVE-2024-42063, CVE-2024-41064, CVE-2024-41017, CVE-2024-42112,
CVE-2024-42064, CVE-2024-42135, CVE-2024-42146, CVE-2024-41010,
CVE-2024-41097, CVE-2024-41012, CVE-2024-42097, CVE-2024-42067,
CVE-2024-42236, CVE-2024-42080, CVE-2024-42241, CVE-2024-42065,
CVE-2024-42232, CVE-2024-42246, CVE-2024-41093, CVE-2024-41015,
CVE-2024-42129, CVE-2024-42073, CVE-2024-41029)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
linux-image-6.8.0-48-lowlatency 6.8.0-48.48.3
linux-image-6.8.0-48-lowlatency-64k 6.8.0-48.48.3
linux-image-lowlatency 6.8.0-48.48.3
linux-image-lowlatency-64k 6.8.0-48.48.3
linux-image-lowlatency-64k-hwe-24.04 6.8.0-48.48.3
linux-image-lowlatency-hwe-24.04 6.8.0-48.48.3

Ubuntu 22.04 LTS
linux-image-6.8.0-48-lowlatency 6.8.0-48.48.3~22.04.1
linux-image-6.8.0-48-lowlatency-64k 6.8.0-48.48.3~22.04.1
linux-image-lowlatency-64k-hwe-22.04 6.8.0-48.48.3~22.04.1
linux-image-lowlatency-hwe-22.04 6.8.0-48.48.3~22.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7089-7
https://ubuntu.com/security/notices/USN-7089-6
https://ubuntu.com/security/notices/USN-7089-5
https://ubuntu.com/security/notices/USN-7089-4
https://ubuntu.com/security/notices/USN-7089-3
https://ubuntu.com/security/notices/USN-7089-2
https://ubuntu.com/security/notices/USN-7089-1
CVE-2023-52887, CVE-2023-52888, CVE-2024-25741, CVE-2024-39486,
CVE-2024-39487, CVE-2024-41007, CVE-2024-41010, CVE-2024-41012,
CVE-2024-41015, CVE-2024-41017, CVE-2024-41018, CVE-2024-41019,
CVE-2024-41020, CVE-2024-41021, CVE-2024-41022, CVE-2024-41023,
CVE-2024-41025, CVE-2024-41027, CVE-2024-41028, CVE-2024-41029,
CVE-2024-41030, CVE-2024-41031, CVE-2024-41032, CVE-2024-41033,
CVE-2024-41034, CVE-2024-41035, CVE-2024-41036, CVE-2024-41037,
CVE-2024-41038, CVE-2024-41039, CVE-2024-41041, CVE-2024-41042,
CVE-2024-41044, CVE-2024-41045, CVE-2024-41046, CVE-2024-41047,
CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41051,
CVE-2024-41052, CVE-2024-41053, CVE-2024-41054, CVE-2024-41055,
CVE-2024-41056, CVE-2024-41057, CVE-2024-41058, CVE-2024-41059,
CVE-2024-41060, CVE-2024-41061, CVE-2024-41062, CVE-2024-41063,
CVE-2024-41064, CVE-2024-41065, CVE-2024-41066, CVE-2024-41067,
CVE-2024-41068, CVE-2024-41069, CVE-2024-41070, CVE-2024-41071,
CVE-2024-41072, CVE-2024-41073, CVE-2024-41074, CVE-2024-41075,
CVE-2024-41076, CVE-2024-41077, CVE-2024-41078, CVE-2024-41079,
CVE-2024-41080, CVE-2024-41081, CVE-2024-41082, CVE-2024-41083,
CVE-2024-41084, CVE-2024-41085, CVE-2024-41086, CVE-2024-41087,
CVE-2024-41088, CVE-2024-41089, CVE-2024-41090, CVE-2024-41091,
CVE-2024-41092, CVE-2024-41093, CVE-2024-41094, CVE-2024-41095,
CVE-2024-41096, CVE-2024-41097, CVE-2024-41098, CVE-2024-42063,
CVE-2024-42064, CVE-2024-42065, CVE-2024-42066, CVE-2024-42067,
CVE-2024-42068, CVE-2024-42069, CVE-2024-42070, CVE-2024-42073,
CVE-2024-42074, CVE-2024-42076, CVE-2024-42077, CVE-2024-42079,
CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,
CVE-2024-42086, CVE-2024-42087, CVE-2024-42088, CVE-2024-42089,
CVE-2024-42090, CVE-2024-42091, CVE-2024-42092, CVE-2024-42093,
CVE-2024-42094, CVE-2024-42095, CVE-2024-42096, CVE-2024-42097,
CVE-2024-42098, CVE-2024-42100, CVE-2024-42101, CVE-2024-42102,
CVE-2024-42103, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,
CVE-2024-42108, CVE-2024-42109, CVE-2024-42110, CVE-2024-42111,
CVE-2024-42112, CVE-2024-42113, CVE-2024-42114, CVE-2024-42115,
CVE-2024-42117, CVE-2024-42118, CVE-2024-42119, CVE-2024-42120,
CVE-2024-42121, CVE-2024-42124, CVE-2024-42126, CVE-2024-42127,
CVE-2024-42128, CVE-2024-42129, CVE-2024-42130, CVE-2024-42131,
CVE-2024-42132, CVE-2024-42133, CVE-2024-42135, CVE-2024-42136,
CVE-2024-42137, CVE-2024-42138, CVE-2024-42140, CVE-2024-42141,
CVE-2024-42142, CVE-2024-42144, CVE-2024-42145, CVE-2024-42146,
CVE-2024-42147, CVE-2024-42149, CVE-2024-42150, CVE-2024-42151,
CVE-2024-42152, CVE-2024-42153, CVE-2024-42155, CVE-2024-42156,
CVE-2024-42157, CVE-2024-42158, CVE-2024-42161, CVE-2024-42223,
CVE-2024-42225, CVE-2024-42227, CVE-2024-42229, CVE-2024-42230,
CVE-2024-42231, CVE-2024-42232, CVE-2024-42234, CVE-2024-42235,
CVE-2024-42236, CVE-2024-42237, CVE-2024-42238, CVE-2024-42239,
CVE-2024-42240, CVE-2024-42241, CVE-2024-42243, CVE-2024-42244,
CVE-2024-42245, CVE-2024-42246, CVE-2024-42247, CVE-2024-42248,
CVE-2024-42250, CVE-2024-42251, CVE-2024-42252, CVE-2024-42253,
CVE-2024-42271, CVE-2024-42280, CVE-2024-43855, CVE-2024-43858

Package Information:
https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-48.48.3

https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-48.48.3~22.04.1



[USN-7121-1] Linux kernel vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7121-1
November 19, 2024

linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel

Details:

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- S390 architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ATM drivers;
- Device frequency scaling framework;
- GPU drivers;
- Hardware monitoring drivers;
- VMware VMCI Driver;
- Network drivers;
- Device tree and open firmware driver;
- SCSI drivers;
- Greybus lights staging drivers;
- BTRFS file system;
- File systems infrastructure;
- F2FS file system;
- JFS file system;
- NILFS2 file system;
- Netfilter;
- Memory management;
- Ethernet bridge;
- IPv6 networking;
- IUCV driver;
- Logical Link layer;
- MAC80211 subsystem;
- NFC subsystem;
- Network traffic control;
- Unix domain sockets;
(CVE-2023-52614, CVE-2024-26633, CVE-2024-46758, CVE-2024-46723,
CVE-2023-52502, CVE-2024-41059, CVE-2024-44987, CVE-2024-36020,
CVE-2023-52599, CVE-2023-52639, CVE-2024-26668, CVE-2024-42094,
CVE-2022-48938, CVE-2022-48733, CVE-2024-27397, CVE-2023-52578,
CVE-2024-38560, CVE-2024-38538, CVE-2024-42310, CVE-2024-46722,
CVE-2024-46800, CVE-2024-41095, CVE-2024-42104, CVE-2024-35877,
CVE-2022-48943, CVE-2024-46743, CVE-2023-52531, CVE-2024-46757,
CVE-2024-36953, CVE-2024-46756, CVE-2024-38596, CVE-2023-52612,
CVE-2024-38637, CVE-2024-41071, CVE-2024-46759, CVE-2024-43882,
CVE-2024-26675, CVE-2024-43854, CVE-2024-44942, CVE-2024-44998,
CVE-2024-42240, CVE-2024-41089, CVE-2024-26636, CVE-2024-46738,
CVE-2024-42309)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1137-oracle 4.15.0-1137.148
Available with Ubuntu Pro
linux-image-4.15.0-1158-kvm 4.15.0-1158.163
Available with Ubuntu Pro
linux-image-4.15.0-1168-gcp 4.15.0-1168.185
Available with Ubuntu Pro
linux-image-4.15.0-1175-aws 4.15.0-1175.188
Available with Ubuntu Pro
linux-image-4.15.0-1183-azure 4.15.0-1183.198
Available with Ubuntu Pro
linux-image-4.15.0-231-generic 4.15.0-231.243
Available with Ubuntu Pro
linux-image-4.15.0-231-lowlatency 4.15.0-231.243
Available with Ubuntu Pro
linux-image-aws-lts-18.04 4.15.0.1175.173
Available with Ubuntu Pro
linux-image-azure-lts-18.04 4.15.0.1183.151
Available with Ubuntu Pro
linux-image-gcp-lts-18.04 4.15.0.1168.181
Available with Ubuntu Pro
linux-image-generic 4.15.0.231.215
Available with Ubuntu Pro
linux-image-kvm 4.15.0.1158.149
Available with Ubuntu Pro
linux-image-lowlatency 4.15.0.231.215
Available with Ubuntu Pro
linux-image-oracle-lts-18.04 4.15.0.1137.142
Available with Ubuntu Pro
linux-image-virtual 4.15.0.231.215
Available with Ubuntu Pro

Ubuntu 16.04 LTS
linux-image-4.15.0-1168-gcp 4.15.0-1168.185~16.04.1
Available with Ubuntu Pro
linux-image-4.15.0-1175-aws 4.15.0-1175.188~16.04.1
Available with Ubuntu Pro
linux-image-4.15.0-1183-azure 4.15.0-1183.198~16.04.1
Available with Ubuntu Pro
linux-image-4.15.0-231-generic 4.15.0-231.243~16.04.1
Available with Ubuntu Pro
linux-image-4.15.0-231-lowlatency 4.15.0-231.243~16.04.1
Available with Ubuntu Pro
linux-image-aws-hwe 4.15.0.1175.188~16.04.1
Available with Ubuntu Pro
linux-image-azure 4.15.0.1183.198~16.04.1
Available with Ubuntu Pro
linux-image-gcp 4.15.0.1168.185~16.04.1
Available with Ubuntu Pro
linux-image-generic-hwe-16.04 4.15.0.231.243~16.04.1
Available with Ubuntu Pro
linux-image-gke 4.15.0.1168.185~16.04.1
Available with Ubuntu Pro
linux-image-lowlatency-hwe-16.04 4.15.0.231.243~16.04.1
Available with Ubuntu Pro
linux-image-oem 4.15.0.231.243~16.04.1
Available with Ubuntu Pro
linux-image-virtual-hwe-16.04 4.15.0.231.243~16.04.1
Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-7121-1
CVE-2022-48733, CVE-2022-48938, CVE-2022-48943, CVE-2023-52502,
CVE-2023-52531, CVE-2023-52578, CVE-2023-52599, CVE-2023-52612,
CVE-2023-52614, CVE-2023-52639, CVE-2024-26633, CVE-2024-26636,
CVE-2024-26668, CVE-2024-26675, CVE-2024-27397, CVE-2024-35877,
CVE-2024-36020, CVE-2024-36953, CVE-2024-38538, CVE-2024-38560,
CVE-2024-38596, CVE-2024-38637, CVE-2024-41059, CVE-2024-41071,
CVE-2024-41089, CVE-2024-41095, CVE-2024-42094, CVE-2024-42104,
CVE-2024-42240, CVE-2024-42309, CVE-2024-42310, CVE-2024-43854,
CVE-2024-43882, CVE-2024-44942, CVE-2024-44987, CVE-2024-44998,
CVE-2024-46722, CVE-2024-46723, CVE-2024-46738, CVE-2024-46743,
CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,
CVE-2024-46800



[USN-7117-1] needrestart and Module::ScanDeps vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7117-1
November 19, 2024

Several security issues were fixed in needrestart and Module::ScanDeps
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in libmodule-scandeps-perl, needrestart.

Software Description:
- libmodule-scandeps-perl: module to recursively scan Perl code for
dependencies
- needrestart: check which daemons need to be restarted after library
upgrades

Details:

Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)

Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)

Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)

Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)

Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libmodule-scandeps-perl 1.35-1ubuntu0.24.10.1
needrestart 3.6-8ubuntu4.2

Ubuntu 24.04 LTS
libmodule-scandeps-perl 1.35-1ubuntu0.24.04.1
needrestart 3.6-7ubuntu4.3

Ubuntu 22.04 LTS
libmodule-scandeps-perl 1.31-1ubuntu0.1
needrestart 3.5-5ubuntu2.2

Ubuntu 20.04 LTS
libmodule-scandeps-perl 1.27-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.4-6ubuntu0.1+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libmodule-scandeps-perl 1.24-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.1-1ubuntu0.1+esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libmodule-scandeps-perl 1.20-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 2.6-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7117-1
CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991,
CVE-2024-48992

Package Information:

https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.2

https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/needrestart/3.6-7ubuntu4.3

https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.31-1ubuntu0.1
https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.2



[USN-7115-1] Waitress vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7115-1
November 19, 2024

Waitress vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Waitress.

Software Description:
- waitress: production-quality pure-Python WSGI server

Details:

It was discovered that Waitress could process follow up requests when
receiving a specially crafted message. An attacker could use this issue to
have the server process inconsistent client requests. (CVE-2024-49768)

Dylan Jay discovered that Waitress could be lead to write to an unexisting
socket after closing the remote connection. An attacker could use this
issue to increase resource utilization leading to a denial of service.
(CVE-2024-49769)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  python3-waitress                3.0.0-1ubuntu0.1

Ubuntu 24.04 LTS
  python3-waitress                2.1.2-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  python3-waitress                1.4.4-1.1ubuntu1.1

Ubuntu 20.04 LTS
  python3-waitress                1.4.1-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7115-1
  CVE-2024-49768, CVE-2024-49769

Package Information:
  https://launchpad.net/ubuntu/+source/waitress/3.0.0-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/waitress/1.4.4-1.1ubuntu1.1
  https://launchpad.net/ubuntu/+source/waitress/1.4.1-1ubuntu0.2