[USN-7367-1] zvbi vulnerabilities
[USN-7370-1] SmartDNS vulnerabilities
[USN-7348-2] Python regression
[USN-7369-1] elfutils vulnerabilities
[USN-7367-1] zvbi vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7367-1
March 24, 2025
zvbi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
zvbi could be made to crash or run programs if it received specially
crafted input.
Software Description:
- zvbi: Vertical Blanking Interval (VBI) utilities
Details:
It was discovered that zvbi incorrectly handled memory when processing user
input. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libzvbi0t64 0.2.42-2ubuntu0.24.10.2
zvbi 0.2.42-2ubuntu0.24.10.2
Ubuntu 24.04 LTS
libzvbi0t64 0.2.42-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
zvbi 0.2.42-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libzvbi0 0.2.35-19ubuntu0.1~esm1
Available with Ubuntu Pro
zvbi 0.2.35-19ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libzvbi0 0.2.35-17ubuntu0.1~esm1
Available with Ubuntu Pro
zvbi 0.2.35-17ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libzvbi0 0.2.35-13ubuntu0.1~esm1
Available with Ubuntu Pro
zvbi 0.2.35-13ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libzvbi0 0.2.35-10ubuntu0.1~esm1
Available with Ubuntu Pro
zvbi 0.2.35-10ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7367-1
CVE-2025-2173, CVE-2025-2174, CVE-2025-2175, CVE-2025-2176,
CVE-2025-2177
Package Information:
https://launchpad.net/ubuntu/+source/zvbi/0.2.42-2ubuntu0.24.10.2
[USN-7370-1] SmartDNS vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7370-1
March 25, 2025
smartdns vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in SmartDNS.
Software Description:
- smartdns: local DNS server to obtain the fastest IP for the best experience
Details:
It was discovered that SmartDNS did not correctly align certain objects in
memory, leading to undefined behaviour. An attacker could possibly use this
issue to cause a denial of service or execute arbitrary code. This issue
only affected Ubuntu 22.04 LTS. (CVE-2024-24198, CVE-2024-24199)
It was discovered that SmartDNS did not correctly handle certain inputs,
which could lead to an integer overflow. A remote attacker could possibly
use this issue to cause a denial of service. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-42643)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
smartdns 46+dfsg-1ubuntu0.1
Ubuntu 24.04 LTS
smartdns 45+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
smartdns 35+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7370-1
CVE-2024-24198, CVE-2024-24199, CVE-2024-42643
Package Information:
https://launchpad.net/ubuntu/+source/smartdns/46+dfsg-1ubuntu0.1
[USN-7348-2] Python regression
==========================================================================
Ubuntu Security Notice USN-7348-2
March 24, 2025
python3.5, python3.8 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-7348-1 introduced a regression in Python.
Software Description:
- python3.8: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
Details:
USN-7348-1 fixed vulnerabilities in Python. The update introduced a
regression. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the Python ipaddress module contained incorrect
information about which IP address ranges were considered “private” or
“globally reachable”. This could possibly result in applications applying
incorrect security policies. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-4032)
It was discovered that Python incorrectly handled quoting path names when
using the venv module. A local attacker able to control virtual
environments could possibly use this issue to execute arbitrary code when
the virtual environment is activated. (CVE-2024-9287)
It was discovered that Python incorrectly handled parsing bracketed hosts.
A remote attacker could possibly use this issue to perform a Server-Side
Request Forgery (SSRF) attack. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2024-11168)
It was discovered that Python incorrectly handled parsing domain names
that
included square brackets. A remote attacker could possibly use this issue
to perform a Server-Side Request Forgery (SSRF) attack. (CVE-2025-0938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
python3.8 3.8.10-0ubuntu1~20.04.18
python3.8-minimal 3.8.10-0ubuntu1~20.04.18
python3.8-venv 3.8.10-0ubuntu1~20.04.18
Ubuntu 16.04 LTS
python3.5 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
python3.5-venv 3.5.2-2ubuntu0~16.04.13+esm18
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python3.5 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
python3.5-minimal 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
python3.5-venv 3.5.2-2ubuntu0~16.04.4~14.04.1+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7348-2
https://ubuntu.com/security/notices/USN-7348-1
CVE-2025-0938
Package Information:
https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.18
[USN-7369-1] elfutils vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7369-1
March 24, 2025
elfutils vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in elfutils.
Software Description:
- elfutils: collection of utilities to handle ELF objects
Details:
It was discovered that readelf from elfutils could be made to read out of
bounds. If a user or automated system were tricked into running readelf
on a specially crafted file, an attacker could cause readelf to crash,
resulting in a denial of service. This issue only affected Ubuntu 24.04
LTS. (CVE-2024-25260)
It was discovered that readelf from elfutils could be made to write out of
bounds. If a user or automated system were tricked into running readelf
on a specially crafted file, an attacker could cause readelf to crash,
resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2025-1365)
It was discovered that readelf from elfutils could be made to dereference
invalid memory. If a user or automated system were tricked into running
readelf on a specially crafted file, an attacker could cause readelf to
crash, resulting in a denial of service. This issue only affected Ubuntu
24.04 LTS and Ubuntu 24.10. (CVE-2025-1371)
It was discovered that readelf from elfutils could be made to dereference
invalid memory. If a user or automated system were tricked into running
readelf on a specially crafted file, an attacker could cause readelf to
crash, resulting in a denial of service. (CVE-2025-1372)
It was discovered that strip from elfutils could be made to dereference
invalid memory. If a user or automated system were tricked into running
strip on a specially crafted file, an attacker could cause strip to
crash, resulting in a denial of service. (CVE-2025-1377)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
elfutils 0.191-2ubuntu0.1
Ubuntu 24.04 LTS
elfutils 0.190-1.1ubuntu0.1
Ubuntu 22.04 LTS
elfutils 0.186-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7369-1
CVE-2024-25260, CVE-2025-1365, CVE-2025-1371, CVE-2025-1372,
CVE-2025-1377
Package Information:
https://launchpad.net/ubuntu/+source/elfutils/0.191-2ubuntu0.1
https://launchpad.net/ubuntu/+source/elfutils/0.190-1.1ubuntu0.1
https://launchpad.net/ubuntu/+source/elfutils/0.186-1ubuntu0.1
