Ubuntu Security Notice USN-5889-1

==========================================================================Ubuntu Security Notice USN-5889-1February 27, 2023zoneminder vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 16.04 ESMSummary:Several security issues were fixed in ZoneMinder.Software Description:- zoneminder: video camera security and surveillance solutionDetails:It was discovered that ZoneMinder was not properly sanitizing URLparameters for certain views. An attacker could possibly use this issue toperform a cross-site scripting (XSS) attack. This issue was only fixed inUbuntu 16.04 ESM. (CVE-2019-6777)It was discovered that ZoneMinder was not properly sanitizing stored userinput later printed to the user in certain views. An attacker couldpossibly use this issue to perform a cross-site scripting (XSS) attack.This issue was only fixed in Ubuntu 16.04 ESM. (CVE-2019-6990,CVE-2019-6992)It was discovered that ZoneMinder was not properly limiting data size andnot properly performing bound checks when processing username and passworddata, which could lead to a stack buffer overflow. An attacker couldpossibly use this issue to bypass authentication, cause a denial ofservice or execute arbitrary code. This issue was only fixed in Ubuntu16.04 ESM. (CVE-2019-6991)It was discovered that ZoneMinder was not properly defining and filteringdata that was appended to the webroot URL of a view. An attacker couldpossibly use this issue to perform cross-site scripting (XSS) attacks.This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 20.04 LTS.(CVE-2019-7325, CVE-2019-7329)It was discovered that ZoneMinder was not properly sanitizing stored userinput later printed to the user in certain views. An attacker couldpossibly use this issue to perform a cross-site scripting (XSS) attack.This issue was only fixed in Ubuntu 20.04 LTS. (CVE-2019-7326)It was discovered that ZoneMinder was not properly sanitizing URLparameters for certain views. An attacker could possibly use this issue toperform a cross-site scripting (XSS) attack. This issue was only fixed inUbuntu 20.04 LTS. (CVE-2019-7327, CVE-2019-7328, CVE-2019-7330,CVE-2019-7332)It was discovered that ZoneMinder was not properly sanitizing user inputin the monitor editing view. An attacker could possibly use this issue toperform a cross-site scripting (XSS) attack. This issue was only fixed inUbuntu 16.04 ESM and Ubuntu 20.04 LTS. (CVE-2019-7331)It was discovered that ZoneMinder was not properly sanitizing data relatedto file paths in a system. An attacker could possibly use this issue toexecute arbitrary code. (CVE-2022-29806)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   zoneminder                      1.36.12+dfsg1-1ubuntu0.1~esm1Ubuntu 20.04 LTS:   zoneminder                      1.32.3-2ubuntu2+esm1Ubuntu 16.04 ESM:   zoneminder                      1.29.0+dfsg-1ubuntu2+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5889-1   CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992,   CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328,   CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332,   CVE-2022-29806Package Information: