[USN-6906-1] python-zipp vulnerability
[USN-6912-1] provd vulnerability
[USN-6914-1] OCS Inventory vulnerability
[USN-6913-1] phpCAS vulnerability
[USN-6915-1] poppler vulnerability
[USN-6906-1] python-zipp vulnerability
protected-headers="v1"
From: Shishir Subedi <shishir.subedi@canonical.com&rt;
Reply-To: Ubuntu Security <security@ubuntu.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <d4ddebdb-523a-4d6d-a087-6e9b8473e939@canonical.com&rt;
Subject: [USN-6906-1] python-zipp vulnerability
--------------HzNItR4I7QEvIgieTG7gq8Cg
=========================================================================
Ubuntu Security Notice USN-6906-1
July 24, 2024
python-zipp vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
python-zipp could be made to crash if certain zip files are used.
Software Description:
- python-zipp: pathlib-compatible Zipfile object wrapper - Python 3.x
Details:
It was discovered that python-zipp did not properly handle the zip files
with malformed names. An attacker could possibly use this issue to cause a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-zipp 1.0.0-6ubuntu0.1
Ubuntu 22.04 LTS
python3-zipp 1.0.0-3ubuntu0.1
Ubuntu 20.04 LTS
pypy-zipp 1.0.0-1ubuntu0.1
python-zipp 1.0.0-1ubuntu0.1
python3-zipp 1.0.0-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6906-1
CVE-2024-5569
Package Information:
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-6ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/python-zipp/1.0.0-1ubuntu0.1
--------------HzNItR4I7QEvIgieTG7gq8Cg--
[USN-6912-1] provd vulnerability
protected-headers="v1"
From: Luci Stanescu <luci.stanescu@canonical.com&rt;
Reply-To: Ubuntu Security <security@ubuntu.com&rt;
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <103e4892-29e7-41c6-a1b2-2c57e0d070f9@canonical.com&rt;
Subject: [USN-6912-1] provd vulnerability
--------------fGqO8zRRYwOO4n5h7unizeQ0
==========================================================================
Ubuntu Security Notice USN-6912-1
July 24, 2024
provd vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
provd could be made to run programs as an administrator.
Software Description:
- provd: Ubuntu Desktop Provision init backend
Details:
James Henstridge discovered that provd incorrectly handled environment
variables. A local attacker could possibly use this issue to run arbitrary
programs and escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
provd 0.1.2+24.04
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6912-1
CVE-2024-6714, https://bugs.launchpad.net/ubuntu/+source/provd/+bug/2071574
Package Information:
https://launchpad.net/ubuntu/+source/provd/0.1.2+24.04
--------------fGqO8zRRYwOO4n5h7unizeQ0--
[USN-6914-1] OCS Inventory vulnerability
==========================================================================
Ubuntu Security Notice USN-6914-1
July 24, 2024
ocsinventory-server vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
OCS Inventory was vulnerable to an authentication bypass if the
selected authentication method was via CAS.
Software Description:
- ocsinventory-server: Hardware and software inventory tool
Details:
Filip Hejsek discovered that the phpCAS library included in OCS Inventory
was using HTTP headers to determine the service URL used to validate
tickets. A remote attacker could possibly use this issue to gain access
to a victim's account.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
ocsinventory-reports 2.8.1+dfsg1-1ubuntu0.1
ocsinventory-server 2.8.1+dfsg1-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6914-1
CVE-2022-39369
Package Information:
https://launchpad.net/ubuntu/+source/ocsinventory-server/2.8.1+dfsg1-1ubuntu0.1
[USN-6913-1] phpCAS vulnerability
==========================================================================
Ubuntu Security Notice USN-6913-1
July 24, 2024
php-cas vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
phpCAS was vulnerable to an authentication bypass.
Software Description:
- php-cas: Central Authentication Service client library in php
Details:
Filip Hejsek discovered that phpCAS was using HTTP headers to determine
the service URL used to validate tickets. A remote attacker could
possibly use this issue to gain access to a victim's account on a
vulnerable CASified service.
This security update introduces an incompatible API change. After applying
this update, third party applications need to be modified to pass in an
additional service base URL argument when constructing the client class.
For more information please refer to the section
"Upgrading 1.5.0 -&rt; 1.6.0" of the phpCAS upgrading document:
https://github.com/apereo/phpCAS/blob/master/docs/Upgrading
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
php-cas 1.3.8-1ubuntu0.22.04.1
Ubuntu 20.04 LTS
php-cas 1.3.8-1ubuntu0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6913-1
CVE-2022-39369
Package Information:
https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/php-cas/1.3.8-1ubuntu0.20.04.1
[USN-6915-1] poppler vulnerability
=========================================================================
Ubuntu Security Notice USN-6915-1
July 24, 2024
poppler vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
poppler could be made to denial of service if it opened a specially crafted PDF.
Software Description:
- poppler: PDF rendering library
Details:
It was discovered that poppler incorrectly handled certain malformed PDF.
An attacker could possibly use this issue to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libpoppler134 24.02.0-1ubuntu9.1
poppler-utils 24.02.0-1ubuntu9.1
Ubuntu 22.04 LTS
libpoppler118 22.02.0-2ubuntu0.5
poppler-utils 22.02.0-2ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6915-1
CVE-2024-6239
Package Information:
https://launchpad.net/ubuntu/+source/poppler/24.02.0-1ubuntu9.1
https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.5