{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "libexpat1:riscv64", "python3-pkg-resources", "python3-setuptools" ] } }, "diff": { "deb": [ { "name": "libexpat1:riscv64", "from_version": { "source_package_name": "expat", "source_package_version": "2.6.1-2build1", "version": "2.6.1-2build1" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.6.1-2ubuntu0.1", "version": "2.6.1-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: invalid input length", " - CVE-2024-45490-*.patch: adds a check to the XML_ParseBuffer function of", " expat/lib/xmlparse.c to identify and error out if a negative length is", " provided.", " - CVE-2024-45490", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45491.patch: adds a check to the dtdCopy function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45491", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45492.patch: adds a check to the nextScaffoldPart function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45492", "" ], "package": "expat", "version": "2.6.1-2ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Tue, 10 Sep 2024 13:17:43 +0300" } ], "notes": null }, { "name": "python3-pkg-resources", "from_version": { "source_package_name": "setuptools", "source_package_version": "68.1.2-2ubuntu1", "version": "68.1.2-2ubuntu1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "68.1.2-2ubuntu1.1", "version": "68.1.2-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "68.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 27 Aug 2024 21:44:12 +0530" } ], "notes": null }, { "name": "python3-setuptools", "from_version": { "source_package_name": "setuptools", "source_package_version": "68.1.2-2ubuntu1", "version": "68.1.2-2ubuntu1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "68.1.2-2ubuntu1.1", "version": "68.1.2-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "68.1.2-2ubuntu1.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 27 Aug 2024 21:44:12 +0530" } ], "notes": null } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20240911 to 20240912", "from_series": "noble", "to_series": "noble", "from_serial": "20240911", "to_serial": "20240912", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }