[USN-7140-1] Tinyproxy vulnerability
[USN-7142-1] WebKitGTK vulnerabilities
[USN-7141-1] oFono vulnerabilities
[USN-7144-1] Linux kernel (Intel IoTG) vulnerabilities
[USN-7143-1] RabbitMQ Server vulnerabilities
[USN-7140-1] Tinyproxy vulnerability
==========================================================================
Ubuntu Security Notice USN-7140-1
December 09, 2024
tinyproxy vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
tinyproxy could be made to expose sensitive information.
Software Description:
- tinyproxy: Lightweight, non-caching, optionally anonymizing HTTP proxy
Details:
It was discovered that Tinyproxy did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to leak
left-over heap data if custom error page templates containing special
non-standard variables are used.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
tinyproxy 1.11.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
tinyproxy-bin 1.11.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
tinyproxy 1.10.0-4ubuntu0.1
tinyproxy-bin 1.10.0-4ubuntu0.1
Ubuntu 18.04 LTS
tinyproxy 1.8.4-5ubuntu0.1~esm2
Available with Ubuntu Pro
tinyproxy-bin 1.8.4-5ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
tinyproxy 1.8.3-3ubuntu16.04.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7140-1
CVE-2022-40468
Package Information:
https://launchpad.net/ubuntu/+source/tinyproxy/1.10.0-4ubuntu0.1
[USN-7142-1] WebKitGTK vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7142-1
December 09, 2024
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libjavascriptcoregtk-4.1-0 2.46.4-0ubuntu0.24.10.1
libjavascriptcoregtk-6.0-1 2.46.4-0ubuntu0.24.10.1
libwebkit2gtk-4.1-0 2.46.4-0ubuntu0.24.10.1
libwebkitgtk-6.0-4 2.46.4-0ubuntu0.24.10.1
Ubuntu 24.04 LTS
libjavascriptcoregtk-4.1-0 2.46.4-0ubuntu0.24.04.1
libjavascriptcoregtk-6.0-1 2.46.4-0ubuntu0.24.04.1
libwebkit2gtk-4.1-0 2.46.4-0ubuntu0.24.04.1
libwebkitgtk-6.0-4 2.46.4-0ubuntu0.24.04.1
Ubuntu 22.04 LTS
libjavascriptcoregtk-4.0-18 2.46.4-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.46.4-0ubuntu0.22.04.1
libjavascriptcoregtk-6.0-1 2.46.4-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.46.4-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.46.4-0ubuntu0.22.04.1
libwebkitgtk-6.0-4 2.46.4-0ubuntu0.22.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7142-1
CVE-2024-44308, CVE-2024-44309
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.4-0ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.4-0ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.46.4-0ubuntu0.22.04.1
[USN-7141-1] oFono vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7141-1
December 09, 2024
ofono vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in oFono.
Software Description:
- ofono: Mobile telephony stack
Details:
It was discovered that oFono incorrectly handled decoding SMS messages
leading to a stack overflow. A remote attacker could potentially use
this issue to cause a denial of service.
(CVE-2023-2794, CVE-2023-4233, CVE-2023-4234)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
ofono 1.31-3ubuntu3.24.10.1
Ubuntu 24.04 LTS
ofono 1.31-3ubuntu3.24.04.1
Ubuntu 22.04 LTS
ofono 1.31-3ubuntu1.1
Ubuntu 20.04 LTS
ofono 1.31-2ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ofono 1.21-1ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ofono 1.17.bzr6912+16.04.20160314.3-0ubuntu1+esm1
Available with Ubuntu Pro
After a standard system update you need to restart oFono to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7141-1
CVE-2023-2794, CVE-2023-4233, CVE-2023-4234
Package Information:
https://launchpad.net/ubuntu/+source/ofono/1.31-3ubuntu3.24.10.1
https://launchpad.net/ubuntu/+source/ofono/1.31-3ubuntu3.24.04.1
https://launchpad.net/ubuntu/+source/ofono/1.31-3ubuntu1.1
[USN-7144-1] Linux kernel (Intel IoTG) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7144-1
December 09, 2024
linux-intel-iotg, linux-intel-iotg-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-intel-iotg: Linux kernel for Intel IoT platforms
- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms
Details:
Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and
Shweta Shinde discovered that the Confidential Computing framework in the
Linux kernel for x86 platforms did not properly handle 32-bit emulation on
TDX and SEV. An attacker with access to the VMM could use this to cause a
denial of service (guest crash) or possibly execute arbitrary code.
(CVE-2024-25744)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- MIPS architecture;
- PowerPC architecture;
- RISC-V architecture;
- User-Mode Linux (UML);
- x86 architecture;
- Block layer subsystem;
- Android drivers;
- Serial ATA and Parallel ATA drivers;
- ATM drivers;
- Drivers core;
- Null block device driver;
- Character device driver;
- ARM SCMI message protocol;
- GPU drivers;
- HID subsystem;
- Hardware monitoring drivers;
- I3C subsystem;
- InfiniBand drivers;
- Input Device core drivers;
- Input Device (Miscellaneous) drivers;
- IOMMU subsystem;
- IRQ chip drivers;
- ISDN/mISDN subsystem;
- LED subsystem;
- Multiple devices driver;
- Media drivers;
- VMware VMCI Driver;
- MMC subsystem;
- Ethernet bonding driver;
- Network drivers;
- Mellanox network drivers;
- Near Field Communication (NFC) drivers;
- NVME drivers;
- Device tree and open firmware driver;
- Parport drivers;
- PCI subsystem;
- Pin controllers subsystem;
- Remote Processor subsystem;
- S/390 drivers;
- SCSI subsystem;
- QCOM SoC drivers;
- Direct Digital Synthesis drivers;
- Thunderbolt and USB4 drivers;
- TTY drivers;
- Userspace I/O drivers;
- DesignWare USB3 driver;
- USB Gadget drivers;
- USB Host Controller drivers;
- USB Type-C Connector System Software Interface driver;
- USB over IP driver;
- Virtio Host (VHOST) subsystem;
- File systems infrastructure;
- BTRFS file system;
- Ext4 file system;
- F2FS file system;
- JFS file system;
- NILFS2 file system;
- File system notification infrastructure;
- NTFS3 file system;
- Proc file system;
- SMB network file system;
- Bitmap API;
- Objagg library;
- Perf events;
- Virtio network driver;
- KCM (Kernel Connection Multiplexor) sockets driver;
- Network traffic control;
- Control group (cgroup);
- DMA mapping infrastructure;
- Locking primitives;
- Padata parallel execution mechanism;
- RCU subsystem;
- Scheduler infrastructure;
- Tracing infrastructure;
- Radix Tree data structure library;
- Kernel userspace event delivery library;
- Memory management;
- Amateur Radio drivers;
- Bluetooth subsystem;
- Ethernet bridge;
- CAN network layer;
- Networking core;
- Ethtool driver;
- IPv4 networking;
- IPv6 networking;
- IUCV driver;
- MAC80211 subsystem;
- Multipath TCP;
- Netfilter;
- SCTP protocol;
- Sun RPC protocol;
- TIPC protocol;
- TLS protocol;
- Wireless networking;
- AppArmor security module;
- Landlock security;
- Simplified Mandatory Access Control Kernel framework;
- FireWire sound drivers;
- SoC audio core drivers;
- USB sound devices;
(CVE-2024-42280, CVE-2024-46759, CVE-2024-42286, CVE-2024-41042,
CVE-2024-42276, CVE-2024-46732, CVE-2024-43902, CVE-2024-47665,
CVE-2024-46675, CVE-2024-43873, CVE-2024-46761, CVE-2024-42281,
CVE-2024-46795, CVE-2024-43869, CVE-2024-39472, CVE-2024-46800,
CVE-2024-44998, CVE-2024-46746, CVE-2024-46747, CVE-2024-41011,
CVE-2024-43871, CVE-2024-46737, CVE-2024-42318, CVE-2024-46731,
CVE-2024-41022, CVE-2024-42285, CVE-2024-46752, CVE-2024-46818,
CVE-2024-44935, CVE-2024-44946, CVE-2024-44944, CVE-2024-41015,
CVE-2024-42312, CVE-2024-46676, CVE-2024-43834, CVE-2024-44966,
CVE-2024-46743, CVE-2024-45026, CVE-2024-46805, CVE-2024-26607,
CVE-2024-46771, CVE-2024-43905, CVE-2024-43884, CVE-2024-41070,
CVE-2024-43829, CVE-2024-46725, CVE-2024-45028, CVE-2024-42287,
CVE-2024-42313, CVE-2024-42277, CVE-2024-42290, CVE-2024-44934,
CVE-2024-46829, CVE-2024-46707, CVE-2024-46677, CVE-2024-42311,
CVE-2024-46814, CVE-2024-46815, CVE-2024-46755, CVE-2024-41065,
CVE-2024-43889, CVE-2024-46780, CVE-2024-43860, CVE-2024-46777,
CVE-2024-46719, CVE-2024-45009, CVE-2024-42302, CVE-2024-42304,
CVE-2024-41063, CVE-2024-47659, CVE-2024-46822, CVE-2024-46756,
CVE-2024-42283, CVE-2024-46757, CVE-2024-43909, CVE-2024-45011,
CVE-2024-46739, CVE-2024-46750, CVE-2024-46782, CVE-2024-44986,
CVE-2024-44983, CVE-2024-45021, CVE-2024-44987, CVE-2024-41090,
CVE-2024-42288, CVE-2024-44969, CVE-2024-42272, CVE-2024-43893,
CVE-2024-42259, CVE-2024-46781, CVE-2024-43907, CVE-2024-42265,
CVE-2024-43839, CVE-2024-47663, CVE-2024-46798, CVE-2024-43817,
CVE-2024-42295, CVE-2024-46840, CVE-2024-45008, CVE-2024-43849,
CVE-2024-46744, CVE-2024-43879, CVE-2024-43841, CVE-2024-42299,
CVE-2024-46783, CVE-2024-36484, CVE-2024-47660, CVE-2024-42310,
CVE-2024-44990, CVE-2024-42270, CVE-2024-43894, CVE-2024-41071,
CVE-2024-40915, CVE-2024-46810, CVE-2024-44954, CVE-2024-42246,
CVE-2023-52889, CVE-2024-43892, CVE-2024-43890, CVE-2024-42284,
CVE-2023-52918, CVE-2024-47669, CVE-2024-41078, CVE-2024-41073,
CVE-2024-26800, CVE-2024-41091, CVE-2024-46828, CVE-2022-48666,
CVE-2024-41060, CVE-2024-42114, CVE-2024-46807, CVE-2024-26669,
CVE-2024-44965, CVE-2024-46758, CVE-2024-44947, CVE-2024-43875,
CVE-2024-42126, CVE-2024-46685, CVE-2024-43883, CVE-2024-46722,
CVE-2024-41064, CVE-2024-43882, CVE-2024-46679, CVE-2024-46740,
CVE-2024-45025, CVE-2024-46721, CVE-2024-38611, CVE-2024-46844,
CVE-2024-45007, CVE-2024-44960, CVE-2024-42306, CVE-2024-44971,
CVE-2024-43835, CVE-2024-42305, CVE-2024-43846, CVE-2024-42289,
CVE-2024-46689, CVE-2024-46724, CVE-2024-43853, CVE-2024-44974,
CVE-2024-43828, CVE-2024-43914, CVE-2024-44958, CVE-2024-46673,
CVE-2024-46723, CVE-2024-41081, CVE-2024-46738, CVE-2024-42296,
CVE-2024-45006, CVE-2024-46714, CVE-2024-43880, CVE-2024-42271,
CVE-2024-44985, CVE-2024-41072, CVE-2024-43867, CVE-2024-43858,
CVE-2024-26893, CVE-2024-41059, CVE-2024-38577, CVE-2024-46817,
CVE-2024-46702, CVE-2024-41019, CVE-2024-44999, CVE-2024-43908,
CVE-2024-42292, CVE-2024-43856, CVE-2024-45018, CVE-2024-41068,
CVE-2024-43870, CVE-2024-45003, CVE-2024-42297, CVE-2024-47668,
CVE-2024-43830, CVE-2024-26661, CVE-2024-41017, CVE-2024-42309,
CVE-2024-43861, CVE-2024-46791, CVE-2024-44989, CVE-2024-46745,
CVE-2024-42269, CVE-2024-43863, CVE-2024-43854, CVE-2024-44995,
CVE-2024-46804, CVE-2024-44948, CVE-2024-46819, CVE-2024-41098,
CVE-2024-44982, CVE-2024-46763, CVE-2024-46832, CVE-2024-41077,
CVE-2024-42274, CVE-2024-47667, CVE-2024-41012, CVE-2024-41020,
CVE-2024-42301, CVE-2024-42267, CVE-2024-46713, CVE-2024-38602,
CVE-2024-44988)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1067-intel-iotg 5.15.0-1067.73
linux-image-intel-iotg 5.15.0.1067.67
Ubuntu 20.04 LTS
linux-image-5.15.0-1067-intel-iotg 5.15.0-1067.73~20.04.1
linux-image-intel 5.15.0.1067.73~20.04.1
linux-image-intel-iotg 5.15.0.1067.73~20.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7144-1
CVE-2022-48666, CVE-2023-52889, CVE-2023-52918, CVE-2024-25744,
CVE-2024-26607, CVE-2024-26661, CVE-2024-26669, CVE-2024-26800,
CVE-2024-26893, CVE-2024-36484, CVE-2024-38577, CVE-2024-38602,
CVE-2024-38611, CVE-2024-39472, CVE-2024-40915, CVE-2024-41011,
CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41019,
CVE-2024-41020, CVE-2024-41022, CVE-2024-41042, CVE-2024-41059,
CVE-2024-41060, CVE-2024-41063, CVE-2024-41064, CVE-2024-41065,
CVE-2024-41068, CVE-2024-41070, CVE-2024-41071, CVE-2024-41072,
CVE-2024-41073, CVE-2024-41077, CVE-2024-41078, CVE-2024-41081,
CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42114,
CVE-2024-42126, CVE-2024-42246, CVE-2024-42259, CVE-2024-42265,
CVE-2024-42267, CVE-2024-42269, CVE-2024-42270, CVE-2024-42271,
CVE-2024-42272, CVE-2024-42274, CVE-2024-42276, CVE-2024-42277,
CVE-2024-42280, CVE-2024-42281, CVE-2024-42283, CVE-2024-42284,
CVE-2024-42285, CVE-2024-42286, CVE-2024-42287, CVE-2024-42288,
CVE-2024-42289, CVE-2024-42290, CVE-2024-42292, CVE-2024-42295,
CVE-2024-42296, CVE-2024-42297, CVE-2024-42299, CVE-2024-42301,
CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,
CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42312,
CVE-2024-42313, CVE-2024-42318, CVE-2024-43817, CVE-2024-43828,
CVE-2024-43829, CVE-2024-43830, CVE-2024-43834, CVE-2024-43835,
CVE-2024-43839, CVE-2024-43841, CVE-2024-43846, CVE-2024-43849,
CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43858,
CVE-2024-43860, CVE-2024-43861, CVE-2024-43863, CVE-2024-43867,
CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873,
CVE-2024-43875, CVE-2024-43879, CVE-2024-43880, CVE-2024-43882,
CVE-2024-43883, CVE-2024-43884, CVE-2024-43889, CVE-2024-43890,
CVE-2024-43892, CVE-2024-43893, CVE-2024-43894, CVE-2024-43902,
CVE-2024-43905, CVE-2024-43907, CVE-2024-43908, CVE-2024-43909,
CVE-2024-43914, CVE-2024-44934, CVE-2024-44935, CVE-2024-44944,
CVE-2024-44946, CVE-2024-44947, CVE-2024-44948, CVE-2024-44954,
CVE-2024-44958, CVE-2024-44960, CVE-2024-44965, CVE-2024-44966,
CVE-2024-44969, CVE-2024-44971, CVE-2024-44974, CVE-2024-44982,
CVE-2024-44983, CVE-2024-44985, CVE-2024-44986, CVE-2024-44987,
CVE-2024-44988, CVE-2024-44989, CVE-2024-44990, CVE-2024-44995,
CVE-2024-44998, CVE-2024-44999, CVE-2024-45003, CVE-2024-45006,
CVE-2024-45007, CVE-2024-45008, CVE-2024-45009, CVE-2024-45011,
CVE-2024-45018, CVE-2024-45021, CVE-2024-45025, CVE-2024-45026,
CVE-2024-45028, CVE-2024-46673, CVE-2024-46675, CVE-2024-46676,
CVE-2024-46677, CVE-2024-46679, CVE-2024-46685, CVE-2024-46689,
CVE-2024-46702, CVE-2024-46707, CVE-2024-46713, CVE-2024-46714,
CVE-2024-46719, CVE-2024-46721, CVE-2024-46722, CVE-2024-46723,
CVE-2024-46724, CVE-2024-46725, CVE-2024-46731, CVE-2024-46732,
CVE-2024-46737, CVE-2024-46738, CVE-2024-46739, CVE-2024-46740,
CVE-2024-46743, CVE-2024-46744, CVE-2024-46745, CVE-2024-46746,
CVE-2024-46747, CVE-2024-46750, CVE-2024-46752, CVE-2024-46755,
CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,
CVE-2024-46761, CVE-2024-46763, CVE-2024-46771, CVE-2024-46777,
CVE-2024-46780, CVE-2024-46781, CVE-2024-46782, CVE-2024-46783,
CVE-2024-46791, CVE-2024-46795, CVE-2024-46798, CVE-2024-46800,
CVE-2024-46804, CVE-2024-46805, CVE-2024-46807, CVE-2024-46810,
CVE-2024-46814, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,
CVE-2024-46819, CVE-2024-46822, CVE-2024-46828, CVE-2024-46829,
CVE-2024-46832, CVE-2024-46840, CVE-2024-46844, CVE-2024-47659,
CVE-2024-47660, CVE-2024-47663, CVE-2024-47665, CVE-2024-47667,
CVE-2024-47668, CVE-2024-47669
Package Information:
https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1067.73
https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1067.73~20.04.1
[USN-7143-1] RabbitMQ Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7143-1
December 09, 2024
rabbitmq-server vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
RabbitMQ Server could be made to expose sensitive information over the
network.
Software Description:
- rabbitmq-server: AMQP server written in Erlang
Details:
Christian Rellmann discovered that RabbitMQ Server did not properly
sanitize user input when adding a new user via the management UI. An
attacker could possibly use this issue to perform cross site scripting and
obtain sensitive information. (CVE-2021-32718)
Fahimhusain Raydurg discovered that RabbitMQ Server did not properly
sanitize user input when using the federation management plugin. An
attacker could possibly use this issue to perform cross site scripting and
obtain sensitive information. (CVE-2021-32719)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
rabbitmq-server 3.8.3-0ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7143-1
CVE-2021-32718, CVE-2021-32719
Package Information:
https://launchpad.net/ubuntu/+source/rabbitmq-server/3.8.3-0ubuntu0.2
