These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4552-2: Pam-python vulnerability

Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root.

21 October 2020 | ubuntu-16.04-lts

USN-4596-1: Tomcat vulnerabilities

It was discovered that Tomcat did not properly manage HTTP/2 streams. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. (CVE-2020-11996) It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could possibly use this to…

21 October 2020 | ubuntu-20.04-lts

USN-4595-1: Grunt vulnerability

It was discovered that Grunt did not properly load yaml files. An attacker could possibly use this to execute arbitrary code. (CVE-2020-7729)

20 October 2020 | ubuntu-18.04-lts

USN-4594-1: Quassel vulnerabilities

It was discovered that Quassel incorrectly handled Qdatastream protocol. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1000178) It was discovered that Quassel incorrectly handled certain login requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-1000179)

20 October 2020 | ubuntu-18.04-lts

USN-4587-1: iTALC vulnerabilities

Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn’t check malloc return values. A remote attacker could use these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055) Josef Gajdusek discovered that iTALC had…

20 October 2020 | ubuntu-16.04-lts

USN-4586-1: PHP ImageMagick vulnerability

It was discovered that PHP ImageMagick extension didn’t check the address used by an array. An attacker could use this issue to cause PHP ImageMagick to crash, resulting in a denial of service.

20 October 2020 | ubuntu-18.04-lts

USN-4593-1: FreeType vulnerability

Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges.

20 October 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4592-1: Linux kernel vulnerabilities

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the…

20 October 2020 | ubuntu-18.04-lts

USN-4591-1: Linux kernel vulnerabilities

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the…

19 October 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4588-1: FlightGear vulnerability

It was discovered that FlightGear could write arbitrary files if received a special nasal script. A remote attacker could exploit this with a crafted file to execute arbitrary code.

19 October 2020 | ubuntu-16.04-lts