These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3947-2: Libxslt vulnerability

USN-3947-1 fixed a vulnerability in Libxslt. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Libxslt incorrectly handled certain documents. An attacker could possibly use this issue to access sensitive information.

15 April 2019 | ubuntu-12.04-esm

USN-3947-1: Libxslt vulnerability

It was discovered that Libxslt incorrectly handled certain documents. An attacker could possibly use this issue to access sensitive information.

15 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3946-1: rssh vulnerabilities

It was discovered that rssh incorrectly handled certain command-line arguments and environment variables. An authenticated user could bypass rssh’s command restrictions, allowing an attacker to run arbitrary commands.

11 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3945-1: Ruby vulnerabilities

It was discovered that Ruby incorrectly handled certain RubyGems. An attacker could possibly use this issue to execute arbitrary commands. (CVE-2019-8320) It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324,…

11 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3944-1: wpa_supplicant and hostapd vulnerabilities

It was discovered that wpa_supplicant and hostapd were vulnerable to a side channel attack against EAP-pwd. A remote attacker could possibly use this issue to recover certain passwords. (CVE-2019-9495) Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly validated received scalar and element values in EAP-pwd-Commit messages….

10 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3937-2: Apache vulnerabilities

USN-3937-1 and USN-3627-1 fixed several vulnerabilities in Apache. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Simon Kappel discovered that the Apache HTTP Server mod_auth_digest module incorrectly handled threads. A remote attacker with valid credentials could possibly use this issue to…

10 April 2019 | ubuntu-12.04-esm

USN-3943-2: Wget vulnerability

USN-3943-1 fixed a vulnerability in Wget. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Kusano Kazuhiko discovered that Wget incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-5953)

9 April 2019 | ubuntu-12.04-esm

USN-3942-1: OpenJDK 7 vulnerability

It was discovered that a memory disclosure issue existed in the OpenJDK Library subsystem. An attacker could use this to expose sensitive information and possibly bypass Java sandbox restrictions.

9 April 2019 | ubuntu-14.04-lts

USN-3943-1: Wget vulnerabilities

It was discovered that Wget incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20483) Kusano Kazuhiko discovered that Wget incorrectly handled certain inputs. An attacker could possibly use this issue to execute…

8 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3938-1: systemd vulnerability

Jann Horn discovered that pam_systemd created logind sessions using some parameters from the environment. A local attacker could exploit this in order to spoof the active session and gain additional PolicyKit privileges.

8 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts