Ubuntu 6614 Published by

Ubuntu Linux has received updates addressing security vulnerabilities in Ruby, mpg123, and Werkzeug:

[USN-7091-1] Ruby vulnerabilities
[USN-7092-1] mpg123 vulnerability
[USN-7093-1] Werkzeug vulnerability



[USN-7091-1] Ruby vulnerabilities


=========================================================================
Ubuntu Security Notice USN-7091-1
November 05, 2024

ruby3.0, ruby3.2, ruby3.3 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby3.3: Object-oriented scripting language
- ruby3.2: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language

Details:

It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a denial
of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu 24.04
LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)

It was discovered that Ruby incorrectly handled parsing of an XML document
that has many entity expansions with SAX2 or pull parser API. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-41946)

It was discovered that Ruby incorrectly handled parsing of an XML document
that has many digits in a hex numeric character reference. An attacker
could use this issue to cause Ruby to crash, resulting in a denial of
service. (CVE-2024-49761)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libruby3.3 3.3.4-2ubuntu5.1
ruby3.3 3.3.4-2ubuntu5.1

Ubuntu 24.04 LTS
libruby3.2 3.2.3-1ubuntu0.24.04.3
ruby3.2 3.2.3-1ubuntu0.24.04.3

Ubuntu 22.04 LTS
libruby3.0 3.0.2-7ubuntu2.8
ruby3.0 3.0.2-7ubuntu2.8

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7091-1
CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946,
CVE-2024-49761

Package Information:
https://launchpad.net/ubuntu/+source/ruby3.3/3.3.4-2ubuntu5.1
https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.3
https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.8



[USN-7092-1] mpg123 vulnerability


==========================================================================
Ubuntu Security Notice USN-7092-1
November 05, 2024

mpg123 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

mpg123 could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- mpg123: MPEG layer 1/2/3 audio player

Details:

It was discovered that mpg123 incorrectly handled certain mp3 files. If a
user or automated system were tricked into opening a specially crafted mp3
file, a remote attacker could use this issue to cause mpg123 to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
libmpg123-0t64 1.32.7-1ubuntu0.1
mpg123 1.32.7-1ubuntu0.1

Ubuntu 24.04 LTS
libmpg123-0t64 1.32.5-1ubuntu1.1
mpg123 1.32.5-1ubuntu1.1

Ubuntu 22.04 LTS
libmpg123-0 1.29.3-1ubuntu0.1
mpg123 1.29.3-1ubuntu0.1

Ubuntu 20.04 LTS
libmpg123-0 1.25.13-1ubuntu0.1
mpg123 1.25.13-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7092-1
CVE-2024-10573

Package Information:
https://launchpad.net/ubuntu/+source/mpg123/1.32.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mpg123/1.32.5-1ubuntu1.1
https://launchpad.net/ubuntu/+source/mpg123/1.29.3-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mpg123/1.25.13-1ubuntu0.1



[USN-7093-1] Werkzeug vulnerability


==========================================================================
Ubuntu Security Notice USN-7093-1
November 05, 2024

python-werkzeug vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Werkzeug could be made to consume resources if it received specially
crafted network traffic.

Software Description:
- python-werkzeug: collection of utilities for WSGI applications

Details:

It was discovered that Werkzeug incorrectly handled multiple form
submission requests. A remote attacker could possibly use this issue to
cause Werkzeug to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
python3-werkzeug 3.0.3-1ubuntu0.1

Ubuntu 24.04 LTS
python3-werkzeug 3.0.1-3ubuntu0.2

Ubuntu 22.04 LTS
python3-werkzeug 2.0.2+dfsg1-1ubuntu0.22.04.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7093-1
CVE-2024-49767

Package Information:
https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.3-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.2
https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.3