Ubuntu 7117-1 critical: needrestart & libmodule-scandeps code risks
Nov 19, 2024
•
LinuxSecurity Advisories
2 - 3 min read
Several security issues were fixed in libmodule-scandeps-perl, needrestart.
==========================================================================
Ubuntu Security Notice USN-7117-1
November 19, 2024
Several security issues were fixed in needrestart and Module::ScanDeps
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in libmodule-scandeps-perl, needrestart.
Software Description:
- libmodule-scandeps-perl: module to recursively scan Perl code for
dependencies
- needrestart: check which daemons need to be restarted after library
upgrades
Details:
Qualys discovered that needrestart passed unsanitized data to a library
(libmodule-scandeps-perl) which expects safe input. A local attacker could
possibly use this issue to execute arbitrary code as root.
(CVE-2024-11003)
Qualys discovered that the library libmodule-scandeps-perl incorrectly
parsed perl code. This could allow a local attacker to execute arbitrary
shell commands. (CVE-2024-10224)
Qualys discovered that needrestart incorrectly used the PYTHONPATH
environment variable to spawn a new Python interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48990)
Qualys discovered that needrestart incorrectly checked the path to the
Python interpreter. A local attacker could possibly use this issue to win
a race condition and execute arbitrary code as root. (CVE-2024-48991)
Qualys discovered that needrestart incorrectly used the RUBYLIB
environment variable to spawn a new Ruby interpreter. A local attacker
could possibly use this issue to execute arbitrary code as root.
(CVE-2024-48992)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libmodule-scandeps-perl 1.35-1ubuntu0.24.10.1
needrestart 3.6-8ubuntu4.2
Ubuntu 24.04 LTS
libmodule-scandeps-perl 1.35-1ubuntu0.24.04.1
needrestart 3.6-7ubuntu4.3
Ubuntu 22.04 LTS
libmodule-scandeps-perl 1.31-1ubuntu0.1
needrestart 3.5-5ubuntu2.2
Ubuntu 20.04 LTS
libmodule-scandeps-perl 1.27-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.4-6ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libmodule-scandeps-perl 1.24-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 3.1-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libmodule-scandeps-perl 1.20-1ubuntu0.1~esm1
Available with Ubuntu Pro
needrestart 2.6-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7117-1
CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991,
CVE-2024-48992
Package Information:
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.2
https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.31-1ubuntu0.1
PREVIOUS
NEXT
Ubuntu 7117-1 critical: needrestart & libmodule-scandeps code risks
ubuntu
November 19, 2024
Several security issues were fixed in libmodule-scandeps-perl, needrestart.
Summary
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in libmodule-scandeps-perl, needrestart. Software Description: - libmodule-scandeps-perl: module to recursively scan Perl code for dependencies - needrestart: check which daemons need to be restarted after library upgrades Details: Qualys discovered that needrestart passed unsanitized data to a library (libmodule-scandeps-perl) which expects safe input. A local attacker could possibly use this issue to execute arbitrary code as root. (CVE-2024-11003) Qualys discovered that the library libmodule-scandeps-perl incorrectly parsed perl code. This could allow a local attacker to execute arbitrary shell commands. (CVE-2024-10224) Qualys discovered that needrestart incorrectly used the PYTHONPATH environment variable to spawn ...
Read the Full AdvisoryUpdate Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 libmodule-scandeps-perl 1.35-1ubuntu0.24.10.1 needrestart 3.6-8ubuntu4.2 Ubuntu 24.04 LTS libmodule-scandeps-perl 1.35-1ubuntu0.24.04.1 needrestart 3.6-7ubuntu4.3 Ubuntu 22.04 LTS libmodule-scandeps-perl 1.31-1ubuntu0.1 needrestart 3.5-5ubuntu2.2 Ubuntu 20.04 LTS libmodule-scandeps-perl 1.27-1ubuntu0.1~esm1 Available with Ubuntu Pro needrestart 3.4-6ubuntu0.1+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS libmodule-scandeps-perl 1.24-1ubuntu0.1~esm1 Available with Ubuntu Pro needrestart 3.1-1ubuntu0.1+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libmodule-scandeps-perl 1.20-1ubuntu0.1~esm1 Available with Ubuntu Pro needrestart 2.6-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-7117-1
CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991,
CVE-2024-48992
Severity
critical
Lowest
Low
Medium
High
Critical
Package Information
https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.2 https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.31-1ubuntu0.1
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!