These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4432-1: GRUB 2 vulnerabilities

Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713) Chris Coulson discovered that the GRUB2 function…

29 July 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm

USN-4443-1: Firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass iframe sandbox restrictions, confuse the user, or execute arbitrary code. (CVE-2020-6463, CVE-2020-6514,…

29 July 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4436-2: librsvg regression

USN-4436-1 fixed a vulnerability in librsvg. The upstream fix caused a regression when parsing certain SVG files. This update backs out the fix pending further investigation. Original advisory details: It was discovered that librsvg incorrectly handled parsing certain SVG files. A remote attacker could possibly use this issue to cause librsvg…

29 July 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4442-1: Sympa vulnerabilities

Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP GET/POST requests. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2018-1000550) It was discovered that Sympa incorrectly handled URL parameters. An attacker could possibly use this issue to perform XSS…

28 July 2020 | ubuntu-14.04-esm

USN-4441-1: MySQL vulnerabilities

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.31. In addition to security fixes, the updated packages contain bug fixes, new features, and…

28 July 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4427-1: Linux kernel vulnerabilities

It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory…

27 July 2020 | ubuntu-16.04-lts, ubuntu-14.04-esm

USN-4426-1: Linux kernel vulnerabilities

Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux…

27 July 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4439-1: Linux kernel vulnerabilities

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly…

27 July 2020 | ubuntu-18.04-lts

USN-4425-1: Linux kernel vulnerabilities

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the kernel->user space relay implementation in the Linux kernel did not…

27 July 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts

USN-4435-2: ClamAV vulnerabilities

USN-4435-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of…

27 July 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm