-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEcfvxe+flLQwqLJFE8LYUYLBMS1YFAmc89y0FAwAAAAAACgkQ8LYUYLBMS1bg
PRAAgKRqybx7jNPGUrnV/sUqI2jyJtFqONfdbEfARV/hVBA81UQMKTGLmHgJ/Ma/LsMzd5Srsy8N
Ra5njGiOr/DU3kZNPUzk0h+OSoaeqadC021FD1ivBp5XOvydszwKgBVm3vfmfjrll0cL6TJbobC1
vEy8nEp7yxg6b5xxJjMjt6t21Z1fOhyMKO5L6e4K4K95exV948IsRz/Em2fVgNb08NI6jU4OPpKg
KXnDKseo/rvmi6kyAbdIpQKXb+lfCI9lkRPtbzGTxK8cs8Hhlj+QGmNf57Y99He3Krw5bPNoU/sO
jUIP0eQSdlYM4+W07SJeGOKPosSIhGZR+TUoY/I9H7EPMtBWJaH7pwS8yQ0O/hbF3Y12RqU1+TMS
IAFEFg4xz3NBRw1Xcq8+fvSb1obSAHcM7TZp9QOLAgnDMS0WbU8jXWt1pUwuyndr8adjzVXe1nBz
F03elIo0qIyJL/cOKG8KNqIqp1vV+O8/mEg/oScyxixvEfzmBdTtJSeqYBveANEyeY29vP5ip3yw
wBJQ4bKFrtB6ZhRO91kxA0nnu/yj2vuV4+9CulNlp4LoT1RB/RPeDaJjvIe+GHaGxnXgmEL+U1AA
lpVQZO237sC6K1IWicNZyQjwR6kh0Vnw0QhxsAlzOQLG3nJMCO7fIRCPx5rJ/qQ0xZydUb5fU0f3
iBs=
=RONV
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7117-1
November 19, 2024
Several security issues were fixed in needrestart and Module::ScanDeps
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in libmodule-scandeps-perl, needrestart.
Software Description:
- libmodule-scandeps-perl: module to recursively scan Perl code for
dependencies
- needrestart: check which daemons need to be restarted after library
upgrades
Details:
Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)
Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)
Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)
Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)
Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libmodule-scandeps-perl 1.35-1ubuntu0.24.10.1
needrestart 3.6-8ubuntu4.2
Ubuntu 24.04 LTS
libmodule-scandeps-perl 1.35-1ubuntu0.24.04.1
needrestart 3.6-7ubuntu4.3
Ubuntu 22.04 LTS
libmodule-scandeps-perl 1.31-1ubuntu0.1
needrestart 3.5-5ubuntu2.2
Ubuntu 20.04 LTS
libmodule-scandeps-perl 1.27-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.4-6ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libmodule-scandeps-perl 1.24-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.1-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libmodule-scandeps-perl 1.20-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 2.6-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7117-1
CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991,
CVE-2024-48992
Package Information:
https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.10.1
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.2
https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/needrestart/3.6-7ubuntu4.3
https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.31-1ubuntu0.1
https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.2
No comments:
Post a Comment