These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3717-2: PolicyKit vulnerabilities

USN-3717-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that PolicyKit incorrectly handled certain duplicate action IDs. A local attacker could use this issue to cause PolicyKit to crash, resulting in a denial of service, or possibly…

17 July 2018 | ubuntu-12.04-esm

USN-3717-1: PolicyKit vulnerabilities

Tavis Ormandy discovered that PolicyKit incorrectly handled certain invalid object paths. A local attacker could possibly use this issue to cause PolicyKit to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-3218) It was discovered that PolicyKit incorrectly handled certain duplicate action IDs. A…

16 July 2018 | ubuntu-18.04-lts, ubuntu-17.10, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3714-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass CORS restrictions, obtain sensitive information, or execute arbitrary code. (CVE-2018-12359, CVE-2018-12360,…

12 July 2018 | ubuntu-18.04-lts, ubuntu-17.10, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3716-1: Dnsmasq update

This update adds the latest DNSSEC validation trust anchor required for the upcoming Root Zone KSK Rollover.

12 July 2018 | ubuntu-16.04-lts

USN-3715-1: dns-root-data update

This update adds the latest DNSSEC validation trust anchor required for the upcoming Root Zone KSK Rollover and refreshes the list of root hints.

12 July 2018 | ubuntu-17.10, ubuntu-16.04-lts

USN-3713-1: CUPS vulnerabilities

It was discovered that CUPS incorrectly handled certain print jobs with invalid usernames. A remote attacker could possibly use this issue to cause CUPS to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2017-18248) Dan Bastone discovered that the CUPS dnssd backend…

11 July 2018 | ubuntu-18.04-lts, ubuntu-17.10, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3712-2: libpng vulnerability

USN-3712-1 fixed a vulnerability in libpng. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service.

11 July 2018 | ubuntu-12.04-esm

USN-3712-1: libpng vulnerabilities

Patrick Keshishian discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10087) Thuan Pham discovered that libpng incorrectly handled certain PNG files. An attacker could possibly use this to cause a…

11 July 2018 | ubuntu-18.04-lts, ubuntu-17.10, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3711-1: ImageMagick vulnerabilities

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

11 July 2018 | ubuntu-18.04-lts, ubuntu-17.10, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3710-1: curl vulnerability

Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

11 July 2018 | ubuntu-18.04-lts, ubuntu-17.10