Overview

Ubuntu 24.04 LTS is finally released and we cover all the new security features
it brings, plus we look at security vulnerabilities in, and updates for,
FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6749-1] FreeRDP vulnerabilities (00:45 )

• 7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-32459
  
  
  • CVE-2024-32460
  
  
  • CVE-2024-32458
  
  
  • CVE-2024-32041
  
  
  • CVE-2024-32040
  
  
  • CVE-2024-32039
  
  
  • CVE-2024-22211
  
  
  
  


• Bunch of issues all reported by researcher from Kaspersky - usual sorts of issues in this package - written in C etc


• OOB reads, heap buffer overflow, integer overflow / underflow -> OOB write

[USN-6752-1] FreeRDP vulnerabilities (01:41 )

• 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-32661
  
  
  • CVE-2024-32660
  
  
  • CVE-2024-32659
  
  
  • CVE-2024-32658
  
  
  
  


• Not long after those - more CVEs announced


• OOB read, NULL ptr deref and memory exhaustion

[USN-6657-2] Dnsmasq vulnerabilities (01:54 )

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  
  
  
  • CVE-2023-28450
  
  
  • CVE-2023-50868
  
  
  • CVE-2023-50387
  
  
  
  


• [USN-6657-1] Dnsmasq vulnerabilities from Episode 220

[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13 )

• 5 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2023-52603
  
  
  • CVE-2024-26581
  
  
  • CVE-2024-26591
  
  
  • CVE-2024-26589
  
  
  • CVE-2023-52600
  
  
  
  

[USN-6750-1] Thunderbird vulnerabilities (02:19 )

• 8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-3861
  
  
  • CVE-2024-3859
  
  
  • CVE-2024-3857
  
  
  • CVE-2024-3854
  
  
  • CVE-2024-3302
  
  
  • CVE-2024-3864
  
  
  • CVE-2024-3852
  
  
  • CVE-2024-2609
  
  
  
  


• 115.10.1

[USN-6751-1] Zabbix vulnerabilities (02:54 )

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  
  
  
  • CVE-2022-35230
  
  
  • CVE-2022-35229
  
  
  
  


• First time Zabbix has featured in the podcast!


• Fixes 2 reflected XSS issues - in newer versions both require the attacker to
  be able to specify the user’s specific CSRF token - but in older versions only
  there was only a session ID which is easier to guess

[USN-6753-1] CryptoJS vulnerability (03:38 )

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2023-46233
  
  
  
  


• Insecure default config - uses older parameters for the implementation of
  PBKDF2 - SHA1 with a single iteration - makes any passwords protected via
  PBKDF2 in crypto-js easier to brute-force from the hashed value - instead
  updated to use SHA256 with 250,000 rounds

[USN-6754-1] nghttp2 vulnerabilities (04:32 )

• 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-28182
  
  
  • CVE-2023-44487
  
  
  • CVE-2019-9513
  
  
  • CVE-2019-9511
  
  
  
  


• Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM
  releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we
  covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 -
  all DoS attacks)


• HTTP/2 continuation frames - no proper limit on the amount of these frames
  which can be sent in a single stream - attacker can send many to cause a DoS
  on the server either through CPU by lots of processing or memory by storing
  all these headers in memory

[USN-6755-1] GNU cpio vulnerabilities (05:42 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-7207
  
  
  
  


• Path traversal vuln - possible to write outside of the target directory


• Specific to Debian/Ubuntu etc since reverted part of the fix for historic
  CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the
  archive - since it broke the use of the --no-absolute-filenames CLI argument


• Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu
  since focal


• Now use more correct fix from upstream (April 2023)

[USN-6756-1] less vulnerability (07:10 )

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-32487
  
  
  
  


• Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220


• Similar issue - this time in the use of LESSOPEN environment variable - failed
  to properly quote newlines embedded in a filename - could then allow for
  arbitrary code execution if ran less on some untrusted file


• LESSOPEN is automatically set in Debian/Ubuntu via lesspipe - allows to run
  less on say a gz compressed log file or even on a tar.gz tarball to list the
  files etc

[USN-6757-1] PHP vulnerabilities (08:41 )

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal