Overview

This week we take a deep dive behind-the-scenes look into how the team handled a
recent report from Snyk’s Security Lab of a local privilege escalation
vulnerability in wpa_supplicant plus we cover security updates in Prometheus
Alertmanager, OpenSSL, Exim, snapd, Gross, curl and more.

This week in Ubuntu Security Updates

185 unique CVEs addressed

[USN-6935-1] Prometheus Alertmanager vulnerability (01:08 )

• 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2023-40577
  
  
  
  


• Stored XSS via the Alertmanager UI - alerts API allows to specify a URL which
  should be able to be called interactively by the user from the UI - an
  attacker instead could POST to this with arbitrary JavaScript which would then
  get included in the generated HTML and hence run on users when viewing the UI


• Fixed to validate this field is actually a URL before including in the
  generated UI page

[USN-6938-1] Linux kernel vulnerabilities (02:05 )

• 31 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  
  
  
  • CVE-2024-35978
  
  
  • CVE-2024-35984
  
  
  • CVE-2024-35997
  
  
  • CVE-2024-26840
  
  
  • CVE-2024-27020
  
  
  • CVE-2023-52752
  
  
  • CVE-2021-47194
  
  
  • CVE-2021-46960
  
  
  • CVE-2024-26884
  
  
  • CVE-2024-36016
  
  
  • CVE-2023-52436
  
  
  • CVE-2024-36902
  
  
  • CVE-2024-26886
  
  
  • CVE-2023-52469
  
  
  • CVE-2024-26923
  
  
  • CVE-2023-52444
  
  
  • CVE-2023-52620
  
  
  • CVE-2021-46933
  
  
  • CVE-2024-35982
  
  
  • CVE-2023-52449
  
  
  • CVE-2024-26934
  
  
  • CVE-2024-26882
  
  
  • CVE-2024-26857
  
  
  • CVE-2021-46932
  
  
  • CVE-2024-26901
  
  
  • CVE-2024-25739
  
  
  • CVE-2024-24859
  
  
  • CVE-2024-24858
  
  
  • CVE-2024-24857
  
  
  • CVE-2023-46343
  
  
  • CVE-2022-48619
  
  
  
  


• 4.4 - generic, AWS, KVM, Low Latency, Virtual

[USN-6922-2] Linux kernel vulnerabilities

• 4 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2024-25739
  
  
  • CVE-2024-24859
  
  
  • CVE-2024-24858
  
  
  • CVE-2024-24857
  
  
  
  


• 6.5 lowlatency

[USN-6926-2] Linux kernel vulnerabilities

• 30 CVEs addressed in Trusty ESM (14.04 ESM), Bionic ESM (18.04 ESM)
  
  
  
  • CVE-2023-52620
  
  
  • CVE-2023-52444
  
  
  • CVE-2024-26901
  
  
  • CVE-2023-52449
  
  
  • CVE-2024-27013
  
  
  • CVE-2024-26934
  
  
  • CVE-2024-35978
  
  
  • CVE-2024-27020
  
  
  • CVE-2023-52469
  
  
  • CVE-2024-35982
  
  
  • CVE-2024-35997
  
  
  • CVE-2023-52443
  
  
  • CVE-2024-36902
  
  
  • CVE-2024-26857
  
  
  • CVE-2024-36016
  
  
  • CVE-2023-52436
  
  
  • CVE-2023-52752
  
  
  • CVE-2024-26886
  
  
  • CVE-2024-35984
  
  
  • CVE-2023-52435
  
  
  • CVE-2024-26840
  
  
  • CVE-2024-26923
  
  
  • CVE-2024-26882
  
  
  • CVE-2024-26884
  
  
  • CVE-2024-25744
  
  
  • CVE-2024-25739
  
  
  • CVE-2024-24859
  
  
  • CVE-2024-24858
  
  
  • CVE-2024-24857
  
  
  • CVE-2023-46343
  
  
  
  


• 4.15 Azure

[USN-6895-4] Linux kernel vulnerabilities

• 100 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2024-26802
  
  
  • CVE-2024-26664
  
  
  • CVE-2023-52880
  
  
  • CVE-2024-26695
  
  
  • CVE-2024-27416
  
  
  • CVE-2024-26714
  
  
  • <a href="https://ubuntu.com/security/CVE-2024-2660