These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4230-2: ClamAV vulnerability

USN-4230-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.

23 January 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4233-2: GnuTLS update

USN-4233-1 disabled SHA1 being used for digital signature operations in GnuTLS. In certain network environments, certificates using SHA1 may still be in use. This update adds the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings that can be used to temporarily re-enable SHA1 until certificates can be replaced with a stronger…

23 January 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4247-3: python-apt vulnerabilities

USN-4247-1 fixed several vulnerabilities in python-apt. This update provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack,…

23 January 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4249-1: e2fsprogs vulnerability

It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code.

23 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4247-2: python-apt regression

USN-4247-1 fixed vulnerabilities in python-apt. The updated packages caused a regression when attempting to upgrade to a new Ubuntu release. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a…

22 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4246-1: zlib vulnerabilities

It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use…

22 January 2020 | ubuntu-16.04-lts

USN-4248-1: GraphicsMagick vulnerabilities

It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.

22 January 2020 | ubuntu-16.04-lts

USN-4247-1: python-apt vulnerabilities

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795) It was discovered that python-apt could install packages from untrusted repositories, contrary…

22 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4245-1: PySAML2 vulnerability

It was discovered that PySAML2 incorrectly handled certain SAML files. An attacker could possibly use this issue to bypass signature verification with arbitrary data.

21 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4244-1: Samba vulnerabilities

It was discovered that Samba did not automatically replicate ACLs set to inherit down a subtree on AD Directory, contrary to expectations. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-14902) Robert Święcki discovered that Samba incorrectly handled certain character conversions when the log level is…

21 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts