Ubuntu 6614 Published by

The following new security updates are available for Ubuntu Linux:

[USN-6838-1] Ruby vulnerabilities
[USN-6836-1] SSSD vulnerability
[USN-6837-1] Rack vulnerabilities
[USN-6835-1] Ghostscript vulnerabilities




[USN-6838-1] Ruby vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6838-1
June 17, 2024

ruby2.7, ruby3.0, ruby3.1, ruby3.2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby3.2: Object-oriented scripting language
- ruby3.1: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language
- ruby2.7: Object-oriented scripting language

Details:

It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)

It was discovered that the Ruby regex compiler incorrectly handled certain
memory operations. A remote attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2024-27282)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libruby3.2 3.2.3-1ubuntu0.24.04.1
ruby3.2 3.2.3-1ubuntu0.24.04.1

Ubuntu 23.10
libruby3.1 3.1.2-7ubuntu3.2
ruby3.1 3.1.2-7ubuntu3.2

Ubuntu 22.04 LTS
libruby3.0 3.0.2-7ubuntu2.6
ruby3.0 3.0.2-7ubuntu2.6

Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.13
ruby2.7 2.7.0-5ubuntu1.13

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6838-1
CVE-2024-27281, CVE-2024-27282

Package Information:
https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/ruby3.1/3.1.2-7ubuntu3.2
https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.6
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.13



[USN-6836-1] SSSD vulnerability


==========================================================================
Ubuntu Security Notice USN-6836-1
June 17, 2024

sssd vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

SSSD did not always correctly apply the GPO policy.

Software Description:
- sssd: System Security Services Daemon

Details:

It was discovered that SSSD did not always correctly apply the GPO policy
for authenticated users, contrary to expectations. This could result in
improper authorization or improper access to resources.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
sssd 2.9.4-1.1ubuntu6.1

Ubuntu 23.10
sssd 2.9.1-2ubuntu2.1

Ubuntu 22.04 LTS
sssd 2.6.3-1ubuntu3.3

Ubuntu 20.04 LTS
sssd 2.2.3-3ubuntu0.13

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6836-1
CVE-2023-3758

Package Information:
https://launchpad.net/ubuntu/+source/sssd/2.9.4-1.1ubuntu6.1
https://launchpad.net/ubuntu/+source/sssd/2.9.1-2ubuntu2.1
https://launchpad.net/ubuntu/+source/sssd/2.6.3-1ubuntu3.3
https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.13



[USN-6837-1] Rack vulnerabilities


==========================================================================
Ubuntu Security Notice USN-6837-1
June 17, 2024

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly handled Multipart MIME parsing. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
23.10. (CVE-2023-27530)

It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create large
responses, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.1

Ubuntu 23.10
ruby-rack 2.2.4-3ubuntu0.2

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6837-1
CVE-2023-27530, CVE-2024-25126, CVE-2024-26141, CVE-2024-26146

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.4-3ubuntu0.2



[USN-6835-1] Ghostscript vulnerabilities


NotDashEscaped: You need gpg to verify this message

==========================================================================
Ubuntu Security Notice USN-6835-1
June 17, 2024

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript did not properly restrict eexec
seeds to those specified by the Type 1 Font Format standard when
SAFER mode is used. An attacker could use this issue to bypass SAFER
restrictions and cause unspecified impact. (CVE-2023-52722)
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.

Thomas Rinsma discovered that Ghostscript did not prevent changes to
uniprint device argument strings after SAFER is activated, resulting
in a format-string vulnerability. An attacker could possibly use this
to execute arbitrary code. (CVE-2024-29510)

Zdenek Hutyra discovered that Ghostscript did not properly perform
path reduction when validating paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy and
possibly execute arbitrary code. (CVE-2024-33869)

Zdenek Hutyra discovered that Ghostscript did not properly check
arguments when reducing paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy.
(CVE-2024-33870)

Zdenek Hutyra discovered that the "Driver" parameter for Ghostscript's
"opvp"/"oprp" device allowed specifying the name of an arbitrary dynamic
library to load. An attacker could use this to execute arbitrary code.
(CVE-2024-33871)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
ghostscript 10.02.1~dfsg1-0ubuntu7.1
ghostscript-doc 10.02.1~dfsg1-0ubuntu7.1

Ubuntu 23.10
ghostscript 10.01.2~dfsg1-0ubuntu2.3
ghostscript-doc 10.01.2~dfsg1-0ubuntu2.3
ghostscript-x 10.01.2~dfsg1-0ubuntu2.3

Ubuntu 22.04 LTS
ghostscript 9.55.0~dfsg1-0ubuntu5.7
ghostscript-doc 9.55.0~dfsg1-0ubuntu5.7
ghostscript-x 9.55.0~dfsg1-0ubuntu5.7

Ubuntu 20.04 LTS
ghostscript 9.50~dfsg-5ubuntu4.12
ghostscript-doc 9.50~dfsg-5ubuntu4.12
ghostscript-x 9.50~dfsg-5ubuntu4.12

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6835-1
CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870,
CVE-2024-33871

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.1
https://launchpad.net/ubuntu/+source/ghostscript/10.01.2~dfsg1-0ubuntu2.3
https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.7
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.12