These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4367-2: Linux kernel regression

USN-4367-1 fixed vulnerabilities in the 5.4 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in…

28 May 2020 | ubuntu-20.04-lts

USN-4369-2: Linux kernel regression

USN-4369-1 fixed vulnerabilities in the 5.3 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in…

28 May 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4363-1: Linux kernel vulnerabilities

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local…

28 May 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4359-2: APT vulnerability

USN-4359-1 fixed a vulnerability in APT. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system…

28 May 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4376-1: OpenSSL vulnerabilities

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. (CVE-2019-1547) Matt Caswell discovered that OpenSSL…

28 May 2020 | ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4360-4: json-c vulnerability

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak that was reverted in USN-4360-2 and USN-4360-3. This update provides the correct fix update for CVE-2020-12762. Original advisory details: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to…

28 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4375-1: PHP vulnerability

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

27 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4374-1: Unbound vulnerabilities

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound incorrectly handled certain queries. A remote attacker could use this issue to perform an amplification attack directed at a target. (CVE-2020-12662) It was discovered that Unbound incorrectly handled certain malformed answers. A remote attacker could possibly use this issue…

27 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts

USN-4373-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12395) It was discovered that the Devtools’ ‘Copy as cURL’…

26 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4367-1: Linux kernel vulnerabilities

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the linux kernel did not…

24 May 2020 | ubuntu-20.04-lts