Ubuntu 6614 Published by

The following updates have been released for Ubuntu Linux:

[USN-6906-1] python-zipp vulnerability
[USN-6912-1] provd vulnerability
[USN-6914-1] OCS Inventory vulnerability
[USN-6913-1] phpCAS vulnerability
[USN-6915-1] poppler vulnerability




[USN-6906-1] python-zipp vulnerability


protected-headers="v1"
From: Shishir Subedi <shishir.subedi@canonical.com&rt;
Reply-To: Ubuntu Security <security@ubuntu.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <d4ddebdb-523a-4d6d-a087-6e9b8473e939@canonical.com&rt;
Subject: [USN-6906-1] python-zipp vulnerability

--------------HzNItR4I7QEvIgieTG7gq8Cg

=========================================================================
Ubuntu Security Notice USN-6906-1
July 24, 2024

python-zipp vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

python-zipp could be made to crash if certain zip files are used.

Software Description:
- python-zipp: pathlib-compatible Zipfile object wrapper - Python 3.x

Details:

It was discovered that python-zipp did not properly handle the zip files
with malformed names. An attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
python3-zipp 1.0.0-6ubuntu0.1

Ubuntu 22.04 LTS
python3-zipp 1.0.0-3ubuntu0.1

Ubuntu 20.04 LTS
pypy-zipp 1.0.0-1ubuntu0.1
python-zipp 1.0.0-1ubuntu0.1
python3-zipp 1.0.0-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6906-1
CVE-2024-5569

Package Information:
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-6ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-1ubuntu0.1

--------------HzNItR4I7QEvIgieTG7gq8Cg--



[USN-6912-1] provd vulnerability


protected-headers="v1"
From: Luci Stanescu <luci.stanescu@canonical.com&rt;
Reply-To: Ubuntu Security <security@ubuntu.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <103e4892-29e7-41c6-a1b2-2c57e0d070f9@canonical.com&rt;
Subject: [USN-6912-1] provd vulnerability

--------------fGqO8zRRYwOO4n5h7unizeQ0

==========================================================================
Ubuntu Security Notice USN-6912-1
July 24, 2024

provd vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS

Summary:

provd could be made to run programs as an administrator.

Software Description:
- provd: Ubuntu Desktop Provision init backend

Details:

James Henstridge discovered that provd incorrectly handled environment
variables. A local attacker could possibly use this issue to run arbitrary
programs and escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
provd 0.1.2+24.04

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6912-1
CVE-2024-6714, https://bugs.launchpad.net/ubuntu/+source/provd/+bug/2071574

Package Information:
https://launchpad.net/ubuntu/+source/provd/0.1.2+24.04

--------------fGqO8zRRYwOO4n5h7unizeQ0--



[USN-6914-1] OCS Inventory vulnerability


==========================================================================
Ubuntu Security Notice USN-6914-1
July 24, 2024

ocsinventory-server vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

OCS Inventory was vulnerable to an authentication bypass if the
selected authentication method was via CAS.

Software Description:
- ocsinventory-server: Hardware and software inventory tool

Details:

Filip Hejsek discovered that the phpCAS library included in OCS Inventory
was using HTTP headers to determine the service URL used to validate
tickets. A remote attacker could possibly use this issue to gain access
to a victim's account.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
ocsinventory-reports 2.8.1+dfsg1-1ubuntu0.1
ocsinventory-server 2.8.1+dfsg1-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6914-1
CVE-2022-39369

Package Information:
https://launchpad.net/ubuntu/+source/ocsinventory-server/2.8.1+dfsg1-1ubuntu0.1



[USN-6913-1] phpCAS vulnerability


==========================================================================
Ubuntu Security Notice USN-6913-1
July 24, 2024

php-cas vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

phpCAS was vulnerable to an authentication bypass.

Software Description:
- php-cas: Central Authentication Service client library in php

Details:

Filip Hejsek discovered that phpCAS was using HTTP headers to determine
the service URL used to validate tickets. A remote attacker could
possibly use this issue to gain access to a victim's account on a
vulnerable CASified service.

This security update introduces an incompatible API change. After applying
this update, third party applications need to be modified to pass in an
additional service base URL argument when constructing the client class.

For more information please refer to the section
"Upgrading 1.5.0 -&rt; 1.6.0" of the phpCAS upgrading document:

https://github.com/apereo/phpCAS/blob/master/docs/Upgrading

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
php-cas 1.3.8-1ubuntu0.22.04.1

Ubuntu 20.04 LTS
php-cas 1.3.8-1ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6913-1
CVE-2022-39369

Package Information:
https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubuntu0.20.04.1



[USN-6915-1] poppler vulnerability


=========================================================================
Ubuntu Security Notice USN-6915-1
July 24, 2024

poppler vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

poppler could be made to denial of service if it opened a specially crafted PDF.

Software Description:
- poppler: PDF rendering library

Details:

It was discovered that poppler incorrectly handled certain malformed PDF.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libpoppler134 24.02.0-1ubuntu9.1
poppler-utils 24.02.0-1ubuntu9.1

Ubuntu 22.04 LTS
libpoppler118 22.02.0-2ubuntu0.5
poppler-utils 22.02.0-2ubuntu0.5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6915-1
CVE-2024-6239

Package Information:
https://launchpad.net/ubuntu/+source/poppler/24.02.0-1ubuntu9.1
https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.5