Red Hat Security Advisory 2024-3683-03 - Red Hat OpenShift Service Mesh Containers for 2.5.2.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3683.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat OpenShift Service Mesh Containers for 2.5.2 security updateAdvisory ID:        RHSA-2024:3683-03Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3683Issue date:         2024-06-06Revision:           03CVE Names:          CVE-2024-24786====================================================================Summary: Red Hat OpenShift Service Mesh Containers for 2.5.2Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24786References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268046https://issues.redhat.com/browse/OSSM-6290https://issues.redhat.com/browse/OSSM-6295https://issues.redhat.com/browse/OSSM-6298https://issues.redhat.com/browse/OSSM-6299https://issues.redhat.com/browse/OSSM-6397

Red Hat Security Advisory 2024-3683-03

Red Hat Security Advisory 2024-3680-03 - Red Hat OpenShift Service Mesh Containers for 2.4.8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3680.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Service Mesh Containers for 2.4.8 security updateAdvisory ID:        RHSA-2024:3680-03Product:            Red Hat OpenShift Service MeshAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3680Issue date:         2024-06-06Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat OpenShift Service Mesh Containers for 2.4.8Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-3680-03

Debian Linux Security Advisory 5704-1 - Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5704-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 05, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pillowCVE ID         : CVE-2023-44271 CVE-2023-50447 CVE-2024-28219Multiple security issues were discovered in Pillow, a Python imaginglibrary, which could result in denial of service or the execution ofarbitrary code if malformed images are processed.For the oldstable distribution (bullseye), these problems have been fixedin version 8.1.2+dfsg-0.3+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 9.4.0-1.1+deb12u1.We recommend that you upgrade your pillow packages.For the detailed security status of pillow please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pillowFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZgtJUACgkQEMKTtsN8TjZpSw//Ya0Ju4SEXNXTdbLtSMkJ/Mw76ooJgrvI3GaLSarant6LcK7WzyOnjbCH9YKKPojJCyfa5RwBqphHU97dQ9apYmVRv5GVQdw7tjm+s0Uuu3oRMiE+S8c3FVBnYl6nqiTAeQnGERWAnxH2be4P6p2izWaFgK4cBHY4Q958bivB3ebGgS8DfdtuhiQo8tRdM0PREuF+xwiDb9UTRLqGGVNY+k8orkr7Imecu8IS2PakID4bnBB9AxwJ8hCCbRzNITaCh2c5BvovWNw8LADXH6mhYsnvWy0xlhDp7wrFuJBktzuXXLQuIxRkKcm0QVO65rGFI7vrTMxdtxM7ORdnUa6OMxcOwTEYeQwVcQs4k4J7M3WTtH8rz9Bgtca1DdY9foJw34bXitliJeekBibxoPbiQV+jluJAJOIvLVJ5eVeBKIowCsFmFgQbcHSbCgVA8khMMIcp4XFi3NypH2MkTJvJK+0RqchtaVmVFWoNnbamGoyr9Ml+YZbsLP22kBBXSYw9MYCm8ZPN43owNhPHxD38rSg25hJYJOjVkLHoGZYMNse74xZkEaJpyPXk5WS1QM7qYEcG1RK7a44E6xRXU4rLUfLJWCHPWsLLRTNVbKnm1EQsipbKnS4fGjc59dOD8HfNvRbwSpQ/+w9m3L/QU2F015d69UzgG1piGddGBdzLvdE==oUWM-----END PGP SIGNATURE-----

Debian Security Advisory 5704-1

Ubuntu Security Notice 6809-1 - It was discovered that BlueZ could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. It was discovered that BlueZ could be made to write out of bounds. If a user were tricked into connecting to a malicious device, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6809-1  
June 05, 2024

bluez vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in BlueZ.

Software Description:  
- bluez: Bluetooth tools and daemons

Details:

It was discovered that BlueZ could be made to dereference invalid memory.  
An attacker could possibly use this issue to cause a denial of service.  
This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3563)

It was discovered that BlueZ could be made to write out of bounds. If a  
user were tricked into connecting to a malicious device, an attacker could  
possibly use this issue to cause a denial of service or execute arbitrary  
code. (CVE-2023-27349)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
   bluez                           5.64-0ubuntu1.3  
   bluez-tests                     5.64-0ubuntu1.3  
   libbluetooth3                   5.64-0ubuntu1.3

Ubuntu 20.04 LTS  
   bluez                           5.53-0ubuntu3.8  
   libbluetooth3                   5.53-0ubuntu3.8

Ubuntu 18.04 LTS  
   bluez                           5.48-0ubuntu3.9+esm2  
                                   Available with Ubuntu Pro  
   libbluetooth3                   5.48-0ubuntu3.9+esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   bluez                           5.37-0ubuntu5.3+esm4  
                                   Available with Ubuntu Pro  
   libbluetooth3                   5.37-0ubuntu5.3+esm4  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6809-1  
   CVE-2022-3563, CVE-2023-27349

Package Information:  
   https://launchpad.net/ubuntu/+source/bluez/5.64-0ubuntu1.3  
   https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.8

Ubuntu Security Notice USN-6809-1

Ubuntu Security Notice 6812-1 - It was discovered that the Hotspot component of OpenJDK 17 incorrectly handled certain exceptions with specially crafted long messages. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK 17 incorrectly performed reverse DNS query under certain circumstances in the Networking/HTTP client component. An attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6812-1  
June 06, 2024

openjdk-17 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK 17.

Software Description:  
- openjdk-17: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 17 incorrectly  
handled certain exceptions with specially crafted long messages. An  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-21011)

It was discovered that OpenJDK 17 incorrectly performed reverse DNS  
query under certain circumstances in the Networking/HTTP client  
component. An attacker could possibly use this issue to obtain sensitive  
information. (CVE-2024-21012)

Vladimir Kondratyev discovered that the Hotspot component of OpenJDK 17  
incorrectly handled address offset calculations in the C1 compiler. An  
attacker could possibly use this issue to cause a denial of service  
or execute arbitrary code. (CVE-2024-21068)

It was discovered that the Hotspot component of OpenJDK 17 incorrectly  
handled array accesses in the C2 compiler. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code.  
(CVE-2024-21094)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
   openjdk-17-jdk                  17.0.11+9-1~23.10.1  
   openjdk-17-jdk-headless         17.0.11+9-1~23.10.1  
   openjdk-17-jre                  17.0.11+9-1~23.10.1  
   openjdk-17-jre-headless         17.0.11+9-1~23.10.1  
   openjdk-17-jre-zero             17.0.11+9-1~23.10.1

Ubuntu 22.04 LTS  
   openjdk-17-jdk                  17.0.11+9-1~22.04.1  
   openjdk-17-jdk-headless         17.0.11+9-1~22.04.1  
   openjdk-17-jre                  17.0.11+9-1~22.04.1  
   openjdk-17-jre-headless         17.0.11+9-1~22.04.1  
   openjdk-17-jre-zero             17.0.11+9-1~22.04.1

Ubuntu 20.04 LTS  
   openjdk-17-jdk                  17.0.11+9-1~20.04.2  
   openjdk-17-jdk-headless         17.0.11+9-1~20.04.2  
   openjdk-17-jre                  17.0.11+9-1~20.04.2  
   openjdk-17-jre-headless         17.0.11+9-1~20.04.2  
   openjdk-17-jre-zero             17.0.11+9-1~20.04.2

Ubuntu 18.04 LTS  
   openjdk-17-jdk                  17.0.11+9-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-17-jdk-headless         17.0.11+9-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-17-jre                  17.0.11+9-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-17-jre-headless         17.0.11+9-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-17-jre-zero             17.0.11+9-1~18.04.1  
                                   Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any Java  
applications to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6812-1  
   CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21094

Package Information:  
   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.11+9-1~23.10.1  
   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.11+9-1~22.04.1  
   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.11+9-1~20.04.2

Ubuntu Security Notice USN-6812-1

Ubuntu Security Notice 6811-1 - It was discovered that the Hotspot component of OpenJDK 11 incorrectly handled certain exceptions with specially crafted long messages. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK 11 incorrectly performed reverse DNS query under certain circumstances in the Networking/HTTP client component. An attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6811-1  
June 06, 2024

openjdk-lts vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK 11.

Software Description:  
- openjdk-lts: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 11 incorrectly  
handled certain exceptions with specially crafted long messages. An  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-21011)

It was discovered that OpenJDK 11 incorrectly performed reverse DNS  
query under certain circumstances in the Networking/HTTP client  
component. An attacker could possibly use this issue to obtain sensitive  
information. (CVE-2024-21012)

Vladimir Kondratyev discovered that the Hotspot component of OpenJDK 11  
incorrectly handled address offset calculations in the C1 compiler. An  
attacker could possibly use this issue to cause a denial of service  
or execute arbitrary code. (CVE-2024-21068)

Yakov Shafranovich discovered that OpenJDK 11 did not properly manage  
memory in the Pack200 archive format. An attacker could possibly use this  
issue to cause a denial of service. (CVE-2024-21085)

It was discovered that the Hotspot component of OpenJDK 11 incorrectly  
handled array accesses in the C2 compiler. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code.  
(CVE-2024-21094)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
   openjdk-11-jdk                  11.0.23+9-1ubuntu1~23.10.1  
   openjdk-11-jdk-headless         11.0.23+9-1ubuntu1~23.10.1  
   openjdk-11-jre                  11.0.23+9-1ubuntu1~23.10.1  
   openjdk-11-jre-headless         11.0.23+9-1ubuntu1~23.10.1  
   openjdk-11-jre-zero             11.0.23+9-1ubuntu1~23.10.1

Ubuntu 22.04 LTS  
   openjdk-11-jdk                  11.0.23+9-1ubuntu1~22.04.1  
   openjdk-11-jdk-headless         11.0.23+9-1ubuntu1~22.04.1  
   openjdk-11-jre                  11.0.23+9-1ubuntu1~22.04.1  
   openjdk-11-jre-headless         11.0.23+9-1ubuntu1~22.04.1  
   openjdk-11-jre-zero             11.0.23+9-1ubuntu1~22.04.1

Ubuntu 20.04 LTS  
   openjdk-11-jdk                  11.0.23+9-1ubuntu1~20.04.2  
   openjdk-11-jdk-headless         11.0.23+9-1ubuntu1~20.04.2  
   openjdk-11-jre                  11.0.23+9-1ubuntu1~20.04.2  
   openjdk-11-jre-headless         11.0.23+9-1ubuntu1~20.04.2  
   openjdk-11-jre-zero             11.0.23+9-1ubuntu1~20.04.2

Ubuntu 18.04 LTS  
   openjdk-11-jdk                  11.0.23+9-1ubuntu1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-11-jdk-headless         11.0.23+9-1ubuntu1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-11-jre                  11.0.23+9-1ubuntu1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-11-jre-headless         11.0.23+9-1ubuntu1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-11-jre-zero             11.0.23+9-1ubuntu1~18.04.1  
                                   Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any Java  
applications to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6811-1  
   CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085,  
   CVE-2024-21094

Package Information:  
   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.23+9-1ubuntu1~23.10.1  
   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.23+9-1ubuntu1~22.04.1  
   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.23+9-1ubuntu1~20.04.2

Ubuntu Security Notice USN-6811-1

Ubuntu Security Notice 6810-1 - It was discovered that the Hotspot component of OpenJDK 8 incorrectly handled certain exceptions with specially crafted long messages. An attacker could possibly use this issue to cause a denial of service. Vladimir Kondratyev discovered that the Hotspot component of OpenJDK 8 incorrectly handled address offset calculations in the C1 compiler. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6810-1  
June 06, 2024

openjdk-8 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:  
- openjdk-8: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled certain exceptions with specially crafted long messages. An  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2024-21011)

Vladimir Kondratyev discovered that the Hotspot component of OpenJDK 8  
incorrectly handled address offset calculations in the C1 compiler. An  
attacker could possibly use this issue to cause a denial of service  
or execute arbitrary code. (CVE-2024-21068)

Yakov Shafranovich discovered that OpenJDK 8 did not properly manage  
memory in the Pack200 archive format. An attacker could possibly use this  
issue to cause a denial of service. (CVE-2024-21085)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly  
handled array accesses in the C2 compiler. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code.  
(CVE-2024-21094)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   openjdk-8-jdk                   8u412-ga-1~24.04.2  
   openjdk-8-jdk-headless          8u412-ga-1~24.04.2  
   openjdk-8-jre                   8u412-ga-1~24.04.2  
   openjdk-8-jre-headless          8u412-ga-1~24.04.2  
   openjdk-8-jre-zero              8u412-ga-1~24.04.2

Ubuntu 23.10  
   openjdk-8-jdk                   8u412-ga-1~23.10.1  
   openjdk-8-jdk-headless          8u412-ga-1~23.10.1  
   openjdk-8-jre                   8u412-ga-1~23.10.1  
   openjdk-8-jre-headless          8u412-ga-1~23.10.1  
   openjdk-8-jre-zero              8u412-ga-1~23.10.1

Ubuntu 22.04 LTS  
   openjdk-8-jdk                   8u412-ga-1~22.04.1  
   openjdk-8-jdk-headless          8u412-ga-1~22.04.1  
   openjdk-8-jre                   8u412-ga-1~22.04.1  
   openjdk-8-jre-headless          8u412-ga-1~22.04.1  
   openjdk-8-jre-zero              8u412-ga-1~22.04.1

Ubuntu 20.04 LTS  
   openjdk-8-jdk                   8u412-ga-1~20.04.1  
   openjdk-8-jdk-headless          8u412-ga-1~20.04.1  
   openjdk-8-jre                   8u412-ga-1~20.04.1  
   openjdk-8-jre-headless          8u412-ga-1~20.04.1  
   openjdk-8-jre-zero              8u412-ga-1~20.04.1

Ubuntu 18.04 LTS  
   openjdk-8-jdk                   8u412-ga-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-8-jdk-headless          8u412-ga-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-8-jre                   8u412-ga-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-8-jre-headless          8u412-ga-1~18.04.1  
                                   Available with Ubuntu Pro  
   openjdk-8-jre-zero              8u412-ga-1~18.04.1  
                                   Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart any Java  
applications to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6810-1  
   CVE-2024-21011, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094

Package Information:  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u412-ga-1~24.04.2  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u412-ga-1~23.10.1  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u412-ga-1~22.04.1  
   https://launchpad.net/ubuntu/+source/openjdk-8/8u412-ga-1~20.04.1

Ubuntu Security Notice USN-6810-1

Ubuntu Security Notice 6808-1 - It was discovered that Atril was vulnerable to a path traversal attack. An attacker could possibly use this vulnerability to create arbitrary files on the host filesystem with user privileges.

==========================================================================  
Ubuntu Security Notice USN-6808-1  
June 05, 2024

atril vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Atril could be made to create arbitrary files when opening a specially  
crafted EPUB file.

Software Description:  
- atril: Official Document Viewer of the MATE Desktop Environment

Details:

It was discovered that Atril was vulnerable to a path traversal attack.  
An attacker could possibly use this vulnerability to create arbitrary  
files on the host filesystem with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10  
    atril                           1.26.0-2ubuntu0.1  
    atril-common                    1.26.0-2ubuntu0.1  
    libatrildocument3               1.26.0-2ubuntu0.1

Ubuntu 22.04 LTS  
    atril                           1.26.0-1ubuntu1.1  
    atril-common                    1.26.0-1ubuntu1.1  
    libatrildocument3               1.26.0-1ubuntu1.1

Ubuntu 20.04 LTS  
    atril                           1.24.0-1ubuntu0.1  
    atril-common                    1.24.0-1ubuntu0.1  
    libatrildocument3               1.24.0-1ubuntu0.1

Ubuntu 18.04 LTS  
    atril                           1.20.1-2ubuntu2+esm1  
                                    Available with Ubuntu Pro  
    atril-common                    1.20.1-2ubuntu2+esm1  
                                    Available with Ubuntu Pro  
    libatrildocument3               1.20.1-2ubuntu2+esm1  
                                    Available with Ubuntu Pro

Ubuntu 16.04 LTS  
    atril                           1.12.2-1ubuntu0.3+esm1  
                                    Available with Ubuntu Pro  
    atril-common                    1.12.2-1ubuntu0.3+esm1  
                                    Available with Ubuntu Pro  
    libatrildocument3               1.12.2-1ubuntu0.3+esm1  
                                    Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
    https://ubuntu.com/security/notices/USN-6808-1  
    CVE-2023-52076

Package Information:  
    https://launchpad.net/ubuntu/+source/atril/1.26.0-2ubuntu0.1  
    https://launchpad.net/ubuntu/+source/atril/1.26.0-1ubuntu1.1  
    https://launchpad.net/ubuntu/+source/atril/1.24.0-1ubuntu0.1

Ubuntu Security Notice USN-6808-1

Red Hat Security Advisory 2024-3671-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3671.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.3 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:3671-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3671Issue date:         2024-06-06Revision:           03CVE Names:          CVE-2024-27280====================================================================Summary: An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.The following packages have been upgraded to a later upstream version: ruby (3.3). (RHEL-37697)Security Fix(es):* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)* ruby: Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27280References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2270749https://bugzilla.redhat.com/show_bug.cgi?id=2270750https://bugzilla.redhat.com/show_bug.cgi?id=2276810

Red Hat Security Advisory 2024-3671-03

Red Hat Security Advisory 2024-3670-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3670.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.3 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:3670-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3670Issue date:         2024-06-06Revision:           03CVE Names:          CVE-2024-27280====================================================================Summary: An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.The following packages have been upgraded to a later upstream version: ruby (3.3). (RHEL-37446)Security Fix(es):* ruby: Buffer overread vulnerability in StringIO (CVE-2024-27280)* ruby: RCE vulnerability with .rdoc_options in RDoc (CVE-2024-27281)* ruby: Arbitrary memory address read vulnerability with Regex search(CVE-2024-27282)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27280References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2270749https://bugzilla.redhat.com/show_bug.cgi?id=2270750https://bugzilla.redhat.com/show_bug.cgi?id=2276810