[USN-6750-1] Thunderbird vulnerabilities
[USN-6751-1] Zabbix vulnerabilities
[USN-6752-1] FreeRDP vulnerabilities
[USN-6754-1] nghttp2 vulnerabilities
[USN-6753-1] CryptoJS vulnerability
[USN-6750-1] Thunderbird vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6750-1
April 25, 2024
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-2609, CVE-2024-3852,
CVE-2024-3864)
Bartek Nowotarski discovered that Thunderbird did not properly limit HTTP/2
CONTINUATION frames. An attacker could potentially exploit this issue to
cause a denial of service. (CVE-2024-3302)
Lukas Bernhard discovered that Thunderbird did not properly manage memory
during JIT optimisations, leading to an out-of-bounds read vulnerability.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information. (CVE-2024-3854)
Lukas Bernhard discovered that Thunderbird did not properly manage memory
when handling JIT created code during garbage collection. An attacker
could potentially exploit this issue to cause a denial of service, or
execute arbitrary code. (CVE-2024-3857)
Ronald Crane discovered that Thunderbird did not properly manage memory in
the OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read
vulnerability. An attacker could possibly use this issue to cause a denial
of service or expose sensitive information. (CVE-2024-3859)
Ronald Crane discovered that Thunderbird did not properly manage memory
when handling an AlignedBuffer. An attacker could potentially exploit this
issue to cause denial of service, or execute arbitrary code. (CVE-2024-3861)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
thunderbird 1:115.10.1+build1-0ubuntu0.23.10.1
Ubuntu 22.04 LTS:
thunderbird 1:115.10.1+build1-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
thunderbird 1:115.10.1+build1-0ubuntu0.20.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6750-1
CVE-2024-2609, CVE-2024-3302, CVE-2024-3852, CVE-2024-3854,
CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.23.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:115.10.1+build1-0ubuntu0.20.04.1
[USN-6751-1] Zabbix vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6751-1
April 25, 2024
zabbix vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Zabbix could allow reflected cross-site scripting (XSS) attacks.
Software Description:
- zabbix: Open-source monitoring software tool for diverse IT components
Details:
It was discovered that Zabbix incorrectly handled input data in the
discovery and graphs pages. A remote authenticated attacker could possibly
use this issue to perform reflected cross-site scripting (XSS) attacks.
(CVE-2022-35229, CVE-2022-35230)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
zabbix-agent 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-frontend-php 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-java-gateway 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-proxy-mysql 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-proxy-pgsql 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-proxy-sqlite3 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-server-mysql 1:4.0.17+dfsg-1ubuntu0.1~esm1
zabbix-server-pgsql 1:4.0.17+dfsg-1ubuntu0.1~esm1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
zabbix-agent 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-frontend-php 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-java-gateway 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-proxy-mysql 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-proxy-pgsql 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-proxy-sqlite3 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-server-mysql 1:3.0.12+dfsg-1ubuntu0.1~esm3
zabbix-server-pgsql 1:3.0.12+dfsg-1ubuntu0.1~esm3
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
zabbix-agent 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-frontend-php 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-java-gateway 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-proxy-mysql 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-proxy-pgsql 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-proxy-sqlite3 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-server-mysql 1:2.4.7+dfsg-2ubuntu2.1+esm3
zabbix-server-pgsql 1:2.4.7+dfsg-2ubuntu2.1+esm3
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
zabbix-agent 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-frontend-php 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-java-gateway 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-proxy-mysql 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-proxy-pgsql 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-proxy-sqlite3 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-server-mysql 1:2.2.2+dfsg-1ubuntu1+esm5
zabbix-server-pgsql 1:2.2.2+dfsg-1ubuntu1+esm5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6751-1
( https://ubuntu.com/security/notices/USN-6751-1)
CVE-2022-35229, CVE-2022-35230
[USN-6752-1] FreeRDP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6752-1
April 25, 2024
freerdp2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in FreeRDP.
Software Description:
- freerdp2: RDP client for Windows Terminal Services
Details:
It was discovered that FreeRDP incorrectly handled certain memory
operations. If a user were tricked into connecting to a malicious server, a
remote attacker could possibly use this issue to cause FreeRDP to crash,
resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libfreerdp2-2 2.10.0+dfsg1-1.1ubuntu1.3
Ubuntu 22.04 LTS:
libfreerdp2-2 2.6.1+dfsg1-3ubuntu2.7
Ubuntu 20.04 LTS:
libfreerdp2-2 2.6.1+dfsg1-0ubuntu0.20.04.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6752-1
CVE-2024-32658, CVE-2024-32659, CVE-2024-32660, CVE-2024-32661
Package Information:
https://launchpad.net/ubuntu/+source/freerdp2/2.10.0+dfsg1-1.1ubuntu1.3
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.7
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-0ubuntu0.20.04.2
[USN-6754-1] nghttp2 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6754-1
April 25, 2024
nghttp2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in nghttp2.
Software Description:
- nghttp2: HTTP/2 C Library and tools
Details:
It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)
It was discovered that nghttp2 could be made to process an unlimited number
of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this
issue to cause nghttp2 to consume resources, leading to a denial of
service. (CVE-2024-28182)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
libnghttp2-14 1.55.1-1ubuntu0.2
nghttp2 1.55.1-1ubuntu0.2
nghttp2-client 1.55.1-1ubuntu0.2
nghttp2-proxy 1.55.1-1ubuntu0.2
nghttp2-server 1.55.1-1ubuntu0.2
Ubuntu 22.04 LTS:
libnghttp2-14 1.43.0-1ubuntu0.2
nghttp2 1.43.0-1ubuntu0.2
nghttp2-client 1.43.0-1ubuntu0.2
nghttp2-proxy 1.43.0-1ubuntu0.2
nghttp2-server 1.43.0-1ubuntu0.2
Ubuntu 20.04 LTS:
libnghttp2-14 1.40.0-1ubuntu0.3
nghttp2 1.40.0-1ubuntu0.3
nghttp2-client 1.40.0-1ubuntu0.3
nghttp2-proxy 1.40.0-1ubuntu0.3
nghttp2-server 1.40.0-1ubuntu0.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libnghttp2-14 1.30.0-1ubuntu1+esm2
nghttp2 1.30.0-1ubuntu1+esm2
nghttp2-client 1.30.0-1ubuntu1+esm2
nghttp2-proxy 1.30.0-1ubuntu1+esm2
nghttp2-server 1.30.0-1ubuntu1+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libnghttp2-14 1.7.1-1ubuntu0.1~esm2
nghttp2 1.7.1-1ubuntu0.1~esm2
nghttp2-client 1.7.1-1ubuntu0.1~esm2
nghttp2-proxy 1.7.1-1ubuntu0.1~esm2
nghttp2-server 1.7.1-1ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6754-1
CVE-2019-9511, CVE-2019-9513, CVE-2023-44487, CVE-2024-28182
Package Information:
https://launchpad.net/ubuntu/+source/nghttp2/1.55.1-1ubuntu0.2
https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/nghttp2/1.40.0-1ubuntu0.3
[USN-6753-1] CryptoJS vulnerability
==========================================================================
Ubuntu Security Notice USN-6753-1
April 25, 2024
cryptojs vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
CryptoJS could be made to expose sensitive information.
Software Description:
- cryptojs: collection of cryptographic algorithms implemented in JavaScript
Details:
Thomas Neil James Shadwell discovered that CryptoJS was using an insecure
cryptographic default configuration. A remote attacker could possibly use
this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-3ubuntu0.22.04.1~esm1
Ubuntu 20.04 LTS:
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.18.04.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libjs-cryptojs 3.1.2+dfsg-2ubuntu0.16.04.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6753-1
CVE-2023-46233
Package Information:
https://launchpad.net/ubuntu/+source/cryptojs/3.1.2+dfsg-2ubuntu0.20.04.1