[USN-7206-4] rsync regression
[USN-7261-1] Vim vulnerability
[USN-7262-1] Linux kernel vulnerabilities
[USN-7259-3] GNU C Library vulnerability
[USN-7259-2] GNU C Library vulnerability
[USN-7263-1] Firefox vulnerabilities
[USN-6838-2] Ruby vulnerability
[USN-7206-4] rsync regression
==========================================================================
Ubuntu Security Notice USN-7206-4
February 10, 2025
rsync regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
USN-7206-3 caused some regression in rsync.
Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool
Details:
USN-7206-3 fixed vulnerabilities in rsync for Ubuntu 24.10. The update
introduced a regression in rsync. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
did not properly handle checksum lengths. An attacker could use this
issue to execute arbitrary code. (CVE-2024-12084)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
compared checksums with uninitialized memory. An attacker could exploit
this issue to leak sensitive information. (CVE-2024-12085)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
incorrectly handled file checksums. A malicious server could use this
to expose arbitrary client files. (CVE-2024-12086)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
mishandled symlinks for some settings. An attacker could exploit this
to write files outside the intended directory. (CVE-2024-12087)
Simon Scannell, Pedro Gallegos, and Jasiel Spelman discovered that rsync
failed to verify symbolic link destinations for some settings. An
attacker could exploit this for path traversal attacks. (CVE-2024-12088)
Aleksei Gorban discovered a race condition in rsync's handling of
symbolic links. An attacker could use this to access sensitive
information or escalate privileges. (CVE-2024-12747)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
rsync 3.3.0-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7206-4
https://ubuntu.com/security/notices/USN-7206-3
https://ubuntu.com/security/notices/USN-7206-2
https://ubuntu.com/security/notices/USN-7206-1
https://launchpad.net/bugs/2096914
Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.3.0-1ubuntu0.2
[USN-7261-1] Vim vulnerability
==========================================================================
Ubuntu Security Notice USN-7261-1
February 10, 2025
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Vim could be made crash.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled certain internal calls
when scrolling a window. An attacker could possibly use this issue to
cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
vim 2:9.1.0496-1ubuntu6.4
Ubuntu 22.04 LTS
vim 2:8.2.3995-1ubuntu2.23
Ubuntu 20.04 LTS
vim 2:8.1.2269-1ubuntu5.31
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7261-1
CVE-2025-24014
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:9.1.0496-1ubuntu6.4
https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.23
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.31
[USN-7262-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7262-1
February 10, 2025
linux, linux-aws, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Multiple devices driver;
- Network drivers;
- Sonic Silicon Backplane drivers;
- File systems infrastructure;
- Closures library;
- Netfilter;
(CVE-2024-41012, CVE-2024-38597, CVE-2024-42252, CVE-2024-43914,
CVE-2024-38553, CVE-2024-40982, CVE-2024-41066, CVE-2024-42311,
CVE-2024-41020, CVE-2024-53141)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
linux-image-4.4.0-1178-aws 4.4.0-1178.193
Available with Ubuntu Pro
linux-image-4.4.0-263-generic 4.4.0-263.297
Available with Ubuntu Pro
linux-image-4.4.0-263-lowlatency 4.4.0-263.297
Available with Ubuntu Pro
linux-image-aws 4.4.0.1178.182
Available with Ubuntu Pro
linux-image-generic 4.4.0.263.269
Available with Ubuntu Pro
linux-image-generic-lts-xenial 4.4.0.263.269
Available with Ubuntu Pro
linux-image-lowlatency 4.4.0.263.269
Available with Ubuntu Pro
linux-image-lowlatency-lts-xenial 4.4.0.263.269
Available with Ubuntu Pro
linux-image-virtual 4.4.0.263.269
Available with Ubuntu Pro
linux-image-virtual-lts-xenial 4.4.0.263.269
Available with Ubuntu Pro
Ubuntu 14.04 LTS
linux-image-4.4.0-1140-aws 4.4.0-1140.146
Available with Ubuntu Pro
linux-image-4.4.0-263-generic 4.4.0-263.297~14.04.1
Available with Ubuntu Pro
linux-image-4.4.0-263-lowlatency 4.4.0-263.297~14.04.1
Available with Ubuntu Pro
linux-image-aws 4.4.0.1140.137
Available with Ubuntu Pro
linux-image-generic-lts-xenial 4.4.0.263.297~14.04.1
Available with Ubuntu Pro
linux-image-lowlatency-lts-xenial 4.4.0.263.297~14.04.1
Available with Ubuntu Pro
linux-image-virtual-lts-xenial 4.4.0.263.297~14.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7262-1
CVE-2024-38553, CVE-2024-38597, CVE-2024-40982, CVE-2024-41012,
CVE-2024-41020, CVE-2024-41066, CVE-2024-42252, CVE-2024-42311,
CVE-2024-43914, CVE-2024-53141
[USN-7259-3] GNU C Library vulnerability
==========================================================================
Ubuntu Security Notice USN-7259-3
February 10, 2025
eglibc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
GNU C Library could be made to crash or run programs if it received
specially crafted input.
Software Description:
- eglibc: GNU C Library
Details:
USN-7259-1 fixed a vulnerability in GNU C Library. This update provides the
corresponding update for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that GNU C Library incorrectly handled memory when using
the assert function. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS
libc6 2.19-0ubuntu6.15+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7259-3
https://ubuntu.com/security/notices/USN-7259-2
https://ubuntu.com/security/notices/USN-7259-1
CVE-2025-0395
[USN-7259-2] GNU C Library vulnerability
==========================================================================
Ubuntu Security Notice USN-7259-2
February 10, 2025
glibc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
GNU C Library could be made to crash or run programs if it received
specially crafted input.
Software Description:
- glibc: GNU C Library
Details:
USN-7259-1 fixed a vulnerability in GNU C Library. This update provides the
corresponding update for Ubuntu 16.04 LTS.
Original advisory details:
It was discovered that GNU C Library incorrectly handled memory when using
the assert function. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
libc6 2.23-0ubuntu11.3+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7259-2
https://ubuntu.com/security/notices/USN-7259-1
CVE-2025-0395
[USN-7263-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7263-1
February 11, 2025
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2025-1011,
CVE-2025-1013, CVE-2025-1014, CVE-2025-1016, CVE-2025-1017, CVE-2025-1018,
CVE-2025-1019, CVE-2025-1020)
Ivan Fratric discovered that Firefox did not properly handle XSLT data,
leading to a use-after-free vulnerability. An attacker could potentially
exploit this issue to cause a denial of service, or execute arbitrary code.
(CVE-2025-1009)
Atte Kettunen discovered that Firefox did not properly manage memory in
the Custom Highlight API, leading to a use-after-free vulnerability. An
attacker could potentially exploit this issue to cause a denial of service,
or execute arbitrary code. (CVE-2025-1010)
Nils Bars discovered that Firefox did not properly manage memory during
concurrent delazification, leading to a use-after-free vulnerability.
An attacker could potentially exploit this issue to cause a denial of
service, or execute arbitrary code. (CVE-2025-1012)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
firefox 135.0+build2-0ubuntu0.20.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes
References:
https://ubuntu.com/security/notices/USN-7263-1
CVE-2025-1009, CVE-2025-1010, CVE-2025-1011, CVE-2025-1012,
CVE-2025-1013, CVE-2025-1014, CVE-2025-1016, CVE-2025-1017,
CVE-2025-1018, CVE-2025-1019, CVE-2025-1020
Package Information:
https://launchpad.net/ubuntu/+source/firefox/135.0+build2-0ubuntu0.20.04.1
[USN-6838-2] Ruby vulnerability
==========================================================================
Ubuntu Security Notice USN-6838-2
February 10, 2025
ruby2.3, ruby2.5 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Ruby could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,
and Ruby 3.2. This update provides the corresponding updates for
Ruby 2.3 and Ruby 2.5.
Original advisory details:
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
libruby2.5 2.5.1-1ubuntu1.16+esm3
Available with Ubuntu Pro
ruby2.5 2.5.1-1ubuntu1.16+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libruby2.3 2.3.1-2~ubuntu16.04.16+esm9
Available with Ubuntu Pro
ruby2.3 2.3.1-2~ubuntu16.04.16+esm9
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6838-2
( https://ubuntu.com/security/notices/USN-6838-2)
https://ubuntu.com/security/notices/USN-6838-1
( https://ubuntu.com/security/notices/USN-6838-1)
CVE-2024-27281
