These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4511-1: QEMU vulnerability

Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would…

17 September 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4510-1: Samba vulnerability

Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. This update fixes the issue by changing the "server schannel" setting to default to "yes", instead of "auto",…

17 September 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4509-1: Perl DBI module vulnerabilities

It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2013-7490) It was discovered that Perl DBI module incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information. (CVE-2014-10401)

17 September 2020 | ubuntu-14.04-esm

USN-4508-1: StoreBackup vulnerability

It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040)

16 September 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4507-1: ncmpc vulnerability

It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240)

16 September 2020 | ubuntu-16.04-lts

USN-4506-1: MCabber vulnerability

It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928).

16 September 2020 | ubuntu-16.04-lts

USN-4505-1: PHPMailer vulnerability

Elar Lang discovered that PHPMailer did not properly escape double quote characters in filenames. A remote attacker could possibly exploit this with a crafted filename to bypass attachment filters that are based on matching filename extensions. (CVE-2020-13625)

16 September 2020 | ubuntu-18.04-lts

USN-4504-1: OpenSSL vulnerabilities

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites…

16 September 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4502-1: websocket-extensions vulnerability

It was discovered that websocket-extensions does not properly parse special headers. A remote attacker could use this issue to cause regex backtracking, resulting in a denial of service. (CVE-2020-7663)

16 September 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4503-1: Perl DBI module vulnerability

It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code.

16 September 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm