These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3832-1: Linux kernel (AWS) vulnerabilities

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush…

30 November 2018 | ubuntu-18.10

USN-3795-3: libssh regression

USN-3795-1 and USN-3795-2 fixed a vulnerability in libssh. The upstream fix introduced a regression. This update fixes the problem. Original advisory details: Peter Winter-Smith discovered that libssh incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any…

29 November 2018 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3831-1: Ghostscript vulnerabilities

It was discovered that Ghostscript contained multiple security issues. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

29 November 2018 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3830-1: OpenJDK regression

USN-3804-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update introduced a regression when validating JAR files that prevented Java applications from finding classes in some situations. This update fixes the problem. We apologize for the inconvenience.

28 November 2018 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-3827-2: Samba vulnerabilities

USN-3827-1 fixed a vulnerability in samba. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details: Florian Stuelpner discovered that Samba incorrectly handled CNAME records. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-14629) Alex MacCuish…

27 November 2018 | ubuntu-12.04-esm

USN-3816-3: systemd regression

USN-3816-1 fixed vulnerabilities in systemd. The fix for CVE-2018-6954 caused a regression in systemd-tmpfiles when running Ubuntu inside a container on some older kernels. This issue only affected Ubuntu 16.04 LTS. In order to continue to support this configuration, the fixes for CVE-2018-6954 have been reverted. We apologize for the…

27 November 2018 | ubuntu-16.04-lts

USN-3829-1: Git vulnerabilities

It was discovered that Git incorrectly handled layers of tree objects. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15298) It was discovered that Git incorrectly handled certain inputs. An attacker could possibly use this issue to execute…

27 November 2018 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3828-1: WebKitGTK+ vulnerabilities

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

27 November 2018 | ubuntu-18.10, ubuntu-18.04-lts

USN-3827-1: Samba vulnerabilities

Florian Stuelpner discovered that Samba incorrectly handled CNAME records. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2018-14629) Alex MacCuish discovered that Samba incorrectly handled memory when configured to accept smart-card authentication. A remote attacker could possibly use this…

27 November 2018 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3826-1: QEMU vulnerabilities

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839) It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could…

26 November 2018 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts