These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4241-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. (CVE-2019-17005, CVE-2019-17008, CVE-2019-17010,…

16 January 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4240-1: Kamailio vulnerability

It was discovered that Kamailio can be exploited by using a specially crafted message that can cause a buffer overflow issue.

16 January 2020 | ubuntu-16.04-lts

USN-4235-2: nginx vulnerability

USN-4235-1 fixed a vulnerability in nginx. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly handled certain error_page configurations. A remote attacker could possibly use this issue to perform HTTP request smuggling…

15 January 2020 | ubuntu-14.04-esm

USN-4221-2: libpcap vulnerability

USN-4221-1 fixed a vulnerability in libpcap. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).

15 January 2020 | ubuntu-12.04-esm

USN-4239-1: PHP vulnerabilities

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose…

15 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4237-2: SpamAssassin vulnerabilities

USN-4237-1 fixed several vulnerabilities in SpamAssassin. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker…

15 January 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4238-1: SDL_image vulnerabilities

It was discovered that SDL_image incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.

14 January 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4236-2: Libgcrypt vulnerability

USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

14 January 2020 | ubuntu-16.04-lts

USN-4237-1: SpamAssassin vulnerabilities

It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. (CVE-2018-11805) It was discovered that SpamAssassin incorrectly handled certain messages. A remote attacker could possibly use this issue…

13 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4236-1: Libgcrypt vulnerability

It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

13 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts