Category Archives: Advisories

USN-7050-1: Devise-Two-Factor vulnerabilities

Read Time:20 Second

Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor
incorrectly handled one-time password validation. An attacker could
possibly use this issue to intercept and re-use a one-time password.
(CVE-2021-43177)

Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled
generating multi-factor authentication codes. An attacker could possibly
use this issue to generate valid multi-factor authentication codes.
(CVE-2024-8796)

Read More

USN-7022-2: Linux kernel vulnerabilities

Read Time:24 Second

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– GPU drivers;
– Modular ISDN driver;
– MMC subsystem;
– SCSI drivers;
– F2FS file system;
– GFS2 file system;
– Netfilter;
– RxRPC session sockets;
– Integrity Measurement Architecture(IMA) framework;
(CVE-2021-47188, CVE-2024-42160, CVE-2024-42228, CVE-2022-48863,
CVE-2024-26677, CVE-2024-26787, CVE-2024-38570, CVE-2024-39494,
CVE-2022-48791, CVE-2024-27012)

Read More

USN-7043-2: cups-filters vulnerability

Read Time:27 Second

USN-7043-1 fixed a vulnerability in cups-filters. This update provides
the corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

Simone Margaritelli discovered that the cups-filters cups-browsed component
could be used to create arbitrary printers from outside the local network.
In combination with issues in other printing components, a remote attacker
could possibly use this issue to connect to a system, created manipulated
PPD files, and execute arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.

Read More

USN-7049-1: PHP vulnerabilities

Read Time:33 Second

It was discovered that PHP incorrectly handled parsing multipart form data.
A remote attacker could possibly use this issue to inject payloads and
cause PHP to ignore legitimate data. (CVE-2024-8925)

It was discovered that PHP incorrectly handled the cgi.force_redirect
configuration option due to environment variable collisions. In certain
configurations, an attacker could possibly use this issue bypass
force_redirect restrictions. (CVE-2024-8927)

It was discovered that PHP-FPM incorrectly handled logging. A remote
attacker could possibly use this issue to alter and inject arbitrary
contents into log files. This issue only affected Ubuntu 22.04 LTS, and
Ubuntu 24.04 LTS. (CVE-2024-9026)

Read More

USN-7003-5: Linux kernel vulnerabilities

Read Time:2 Minute, 7 Second

It was discovered that the JFS file system contained an out-of-bounds read
vulnerability when printing xattr debug information. A local attacker could
use this to cause a denial of service (system crash). (CVE-2024-40902)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– MIPS architecture;
– PowerPC architecture;
– x86 architecture;
– ACPI drivers;
– Serial ATA and Parallel ATA drivers;
– Drivers core;
– GPIO subsystem;
– GPU drivers;
– Greybus drivers;
– HID subsystem;
– I2C subsystem;
– IIO subsystem;
– InfiniBand drivers;
– Media drivers;
– VMware VMCI Driver;
– Network drivers;
– Pin controllers subsystem;
– S/390 drivers;
– SCSI drivers;
– USB subsystem;
– JFFS2 file system;
– JFS file system;
– File systems infrastructure;
– NILFS2 file system;
– IOMMU subsystem;
– Sun RPC protocol;
– Netfilter;
– Memory management;
– B.A.T.M.A.N. meshing protocol;
– CAN network layer;
– Ceph Core library;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– IUCV driver;
– MAC80211 subsystem;
– NET/ROM layer;
– Network traffic control;
– SoC Audio for Freescale CPUs drivers;
(CVE-2024-40916, CVE-2024-41035, CVE-2024-39469, CVE-2024-39499,
CVE-2024-36978, CVE-2024-42092, CVE-2024-42087, CVE-2024-42102,
CVE-2024-40978, CVE-2024-40902, CVE-2024-36974, CVE-2024-42096,
CVE-2024-40974, CVE-2024-40904, CVE-2024-40905, CVE-2024-42153,
CVE-2024-42106, CVE-2024-42070, CVE-2024-41097, CVE-2024-42090,
CVE-2024-42105, CVE-2024-42104, CVE-2024-39502, CVE-2024-41089,
CVE-2024-40945, CVE-2024-38619, CVE-2024-40961, CVE-2024-42127,
CVE-2024-39487, CVE-2024-40988, CVE-2024-41044, CVE-2024-42236,
CVE-2024-40942, CVE-2024-39506, CVE-2024-39509, CVE-2024-39503,
CVE-2024-40934, CVE-2024-40959, CVE-2024-42101, CVE-2024-40960,
CVE-2024-40968, CVE-2024-41087, CVE-2023-52803, CVE-2024-40987,
CVE-2024-40943, CVE-2024-42089, CVE-2023-52887, CVE-2024-37078,
CVE-2024-42148, CVE-2024-36894, CVE-2024-42097, CVE-2024-41006,
CVE-2024-40984, CVE-2024-40963, CVE-2024-42223, CVE-2024-40912,
CVE-2024-42086, CVE-2024-41049, CVE-2024-42157, CVE-2024-41034,
CVE-2024-42145, CVE-2024-42124, CVE-2024-40995, CVE-2024-42224,
CVE-2024-40981, CVE-2024-41095, CVE-2024-40901, CVE-2024-42115,
CVE-2024-41041, CVE-2024-41007, CVE-2024-39505, CVE-2024-40932,
CVE-2024-39495, CVE-2024-40980, CVE-2024-42084, CVE-2024-41046,
CVE-2024-42119, CVE-2024-42076, CVE-2024-42232, CVE-2024-39501,
CVE-2024-40958, CVE-2024-40941, CVE-2024-42093, CVE-2024-42094,
CVE-2024-42154)

Read More

webkitgtk-2.46.1-1.fc39

Read Time:36 Second

FEDORA-2024-e1357fc22f

Packages in this update:

webkitgtk-2.46.1-1.fc39

Update description:

Fix login QR code not shown in WhatsApp web.
Disable PSON by default again in GTK 3 API versions.
Disable DMABuf video sink by default to prevent file descriptor leaks.
Fix several crashes and rendering issues.

Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Undeprecate console messages API and make it available in 6.0 API.

Read More

webkitgtk-2.46.1-1.fc41

Read Time:36 Second

FEDORA-2024-b142cc07d0

Packages in this update:

webkitgtk-2.46.1-1.fc41

Update description:

Fix login QR code not shown in WhatsApp web.
Disable PSON by default again in GTK 3 API versions.
Disable DMABuf video sink by default to prevent file descriptor leaks.
Fix several crashes and rendering issues.

Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Undeprecate console messages API and make it available in 6.0 API.

Read More

webkitgtk-2.46.1-1.fc40

Read Time:36 Second

FEDORA-2024-4c6304b6fa

Packages in this update:

webkitgtk-2.46.1-1.fc40

Update description:

Fix login QR code not shown in WhatsApp web.
Disable PSON by default again in GTK 3 API versions.
Disable DMABuf video sink by default to prevent file descriptor leaks.
Fix several crashes and rendering issues.

Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Undeprecate console messages API and make it available in 6.0 API.

Read More

USN-7041-2: CUPS vulnerability

Read Time:17 Second

USN-7041-1 fixed a vulnerability in CUPS. This update provides
the corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

Simone Margaritelli discovered that CUPS incorrectly sanitized IPP
data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used.

Read More