These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3854-1: WebKitGTK+ vulnerabilities

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

10 January 2019 | ubuntu-18.10, ubuntu-18.04-lts

USN-3853-1: GnuPG vulnerability

Ben Fuhrmannek discovered that GnuPG incorrectly handled Web Key Directory lookups. A remote attacker could possibly use this issue to cause a denial of service, or perform Cross-Site Request Forgery attacks.

10 January 2019 | ubuntu-18.10, ubuntu-18.04-lts

USN-3852-1: Exiv2 vulnerabilities

It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. CVE-2017-9239 only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11591, CVE-2017-11683, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-9239, CVE-2018-16336, CVE-2018-1758)

10 January 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3851-1: Django vulnerability

It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL.

9 January 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3850-1: NSS vulnerabilities

Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. (CVE-2018-0495) It was discovered that NSS incorrectly handled certain v2-compatible ClientHello messages. A remote attacker could possibly use this issue…

9 January 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3848-2: Linux kernel (Xenial HWE) vulnerabilities

USN-3848-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a…

20 December 2018 | ubuntu-14.04-lts

USN-3849-2: Linux kernel (Trusty HWE) vulnerabilities

USN-3849-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this…

20 December 2018 | ubuntu-12.04-esm

USN-3849-1: Linux kernel vulnerabilities

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647) It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local…

20 December 2018 | ubuntu-14.04-lts

USN-3848-1: Linux kernel vulnerabilities

It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174) It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local…

20 December 2018 | ubuntu-16.04-lts

USN-3847-3: Linux kernel (Azure) vulnerabilities

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 LTS. It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local…

20 December 2018 | ubuntu-14.04-lts