[USN-6825-1] ADOdb vulnerabilities
== Ubuntu Security Notice USN-6825-1 June 10, 2024 libphp-adodb vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in ADOdb. Software Description: - libphp-adodb: ADOdb is a PHP database abstraction layer library Details: It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7405) It was discovered that ADOdb was incorrectly handling GET parameters in test.php. A remote attacker could possibly use this issue to execute cross-site scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-4855) Emmet Leahy discovered that ADOdb was incorrectly handling string quotes in PostgreSQL connections. A remote attacker could possibly use this issue to bypass authentication. (CVE-2021-3850) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libphp-adodb 5.20.19-1ubuntu0.1 Ubuntu 20.04 LTS libphp-adodb 5.20.16-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS libphp-adodb 5.20.9-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libphp-adodb 5.20.3-1ubuntu1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6825-1 CVE-2016-4855, CVE-2016-7405, CVE-2021-3850 Package Information: https://launchpad.net/ubuntu/+source/libphp-adodb/5.20.19-1ubuntu0.1 OpenPGP_0x703AAD91046CD76E.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6796-1] TPM2 Software Stack vulnerabilities
== Ubuntu Security Notice USN-6796-1 May 29, 2024 tpm2-tss vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in TPM2 Software Stack. Software Description: - tpm2-tss: TPM2 Software Stack library Details: Fergus Dall discovered that TPM2 Software Stack did not properly handle layer arrays. An attacker could possibly use this issue to cause TPM2 Software Stack to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-22745) Jurgen Repp and Andreas Fuchs discovered that TPM2 Software Stack did not validate the quote data after deserialization. An attacker could generate an arbitrary quote and cause TPM2 Software Stack to have unknown behavior. (CVE-2024-29040) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libtss2-esys-3.0.2-0t64 4.0.1-7.1ubuntu5.1 libtss2-fapi1t644.0.1-7.1ubuntu5.1 libtss2-mu-4.0.1-0t64 4.0.1-7.1ubuntu5.1 libtss2-policy0t64 4.0.1-7.1ubuntu5.1 libtss2-rc0t64 4.0.1-7.1ubuntu5.1 libtss2-sys1t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-cmd0t644.0.1-7.1ubuntu5.1 libtss2-tcti-device0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-libtpms0t644.0.1-7.1ubuntu5.1 libtss2-tcti-mssim0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-pcap0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-spi-helper0t64 4.0.1-7.1ubuntu5.1 libtss2-tcti-swtpm0t64 4.0.1-7.1ubuntu5.1 libtss2-tctildr0t64 4.0.1-7.1ubuntu5.1 Ubuntu 23.10 libtss2-esys-3.0.2-04.0.1-3ubuntu1.1 libtss2-fapi1 4.0.1-3ubuntu1.1 libtss2-mu0 4.0.1-3ubuntu1.1 libtss2-policy0 4.0.1-3ubuntu1.1 libtss2-rc0 4.0.1-3ubuntu1.1 libtss2-sys14.0.1-3ubuntu1.1 libtss2-tcti-cmd0 4.0.1-3ubuntu1.1 libtss2-tcti-device04.0.1-3ubuntu1.1 libtss2-tcti-libtpms0 4.0.1-3ubuntu1.1 libtss2-tcti-mssim0 4.0.1-3ubuntu1.1 libtss2-tcti-pcap0 4.0.1-3ubuntu1.1 libtss2-tcti-spi-helper04.0.1-3ubuntu1.1 libtss2-tcti-swtpm0 4.0.1-3ubuntu1.1 libtss2-tctildr04.0.1-3ubuntu1.1 Ubuntu 22.04 LTS libtss2-esys-3.0.2-03.2.0-1ubuntu1.1 libtss2-fapi1 3.2.0-1ubuntu1.1 libtss2-mu0 3.2.0-1ubuntu1.1 libtss2-rc0 3.2.0-1ubuntu1.1 libtss2-sys13.2.0-1ubuntu1.1 libtss2-tcti-cmd0 3.2.0-1ubuntu1.1 libtss2-tcti-device03.2.0-1ubuntu1.1 libtss2-tcti-mssim0 3.2.0-1ubuntu1.1 libtss2-tcti-swtpm0 3.2.0-1ubuntu1.1 libtss2-tctildr03.2.0-1ubuntu1.1 Ubuntu 20.04 LTS libtss2-esys0 2.3.2-1ubuntu0.20.04.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6796-1 CVE-2023-22745, CVE-2024-29040 Package Information: https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-7.1ubuntu5.1 https://launchpad.net/ubuntu/+source/tpm2-tss/4.0.1-3ubuntu1.1 https://launchpad.net/ubuntu/+source/tpm2-tss/3.2.0-1ubuntu1.1 https://launchpad.net/ubuntu/+source/tpm2-tss/2.3.2-1ubuntu0.20.04.2 OpenPGP_0x703AAD91046CD76E.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6781-1] Spreadsheet::ParseExcel vulnerability
== Ubuntu Security Notice USN-6781-1 May 21, 2024 libspreadsheet-parseexcel-perl vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Spreadsheet::ParseExcel could possibly run commands if it processed a specially crafted file. Software Description: - libspreadsheet-parseexcel-perl: Perl module to access information from Excel Spreadsheets Details: Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated input from a file into a string-type "eval". An attacker could craft a malicious file to achieve arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS libspreadsheet-parseexcel-perl 0.6500-1.1ubuntu0.1 Ubuntu 20.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.20.04.1 Ubuntu 18.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.18.04.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libspreadsheet-parseexcel-perl 0.6500-1ubuntu0.16.04.1~esm1 Available with Ubuntu Pro Ubuntu 14.04 LTS libspreadsheet-parseexcel-perl 0.5800-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6781-1 CVE-2023-7101 Package Information: https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1.1ubuntu0.1 https://launchpad.net/ubuntu/+source/libspreadsheet-parseexcel-perl/0.6500-1ubuntu0.20.04.1 OpenPGP_0x703AAD91046CD76E.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature
[USN-6753-1] CryptoJS vulnerability
== Ubuntu Security Notice USN-6753-1 April 25, 2024 cryptojs vulnerability == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS (Available with Ubuntu Pro) - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: CryptoJS could be made to expose sensitive information. Software Description: - cryptojs: collection of cryptographic algorithms implemented in JavaScript Details: Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attacker could possibly use this issue to expose sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS (Available with Ubuntu Pro): libjs-cryptojs 3.1.2+dfsg-3ubuntu0.22.04.1~esm1 Ubuntu 20.04 LTS: libjs-cryptojs 3.1.2+dfsg-2ubuntu0.20.04.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libjs-cryptojs 3.1.2+dfsg-2ubuntu0.18.04.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libjs-cryptojs 3.1.2+dfsg-2ubuntu0.16.04.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6753-1 CVE-2023-46233 Package Information: https://launchpad.net/ubuntu/+source/cryptojs/3.1.2+dfsg-2ubuntu0.20.04.1 OpenPGP_0x703AAD91046CD76E.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature