These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4236-2: Libgcrypt vulnerability

USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

14 January 2020 | ubuntu-16.04-lts

USN-4237-1: SpamAssassin vulnerabilities

It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. (CVE-2018-11805) It was discovered that SpamAssassin incorrectly handled certain messages. A remote attacker could possibly use this issue…

13 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4236-1: Libgcrypt vulnerability

It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

13 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts

USN-4235-1: nginx vulnerability

Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly handled certain error_page configurations. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks and access resources contrary to expectations.

13 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4047-2: libvirt update vulnerability

USN-4047-1 fixed a vulnerability in libvirt. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Matthias Gerstner and Ján Tomko discovered that libvirt incorrectly handled certain API calls. An attacker could possibly use this issue to check for arbitrary files, or execute arbitrary binaries. In the…

13 January 2020 | ubuntu-14.04-esm

USN-4234-1: Firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass Content Security Policy (CSP) restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code.

9 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4229-1: NTP vulnerability

It was discovered that ntpq and ntpdc incorrectly handled some arguments. An attacker could possibly use this issue to cause ntpq or ntpdc to crash, execute arbitrary code, or escalate to higher privileges.

9 January 2020 | ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4233-1: GnuTLS update

As a security improvement, this update marks SHA1 as being untrusted for digital signature operations.

9 January 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4231-1: NSS vulnerability

It was discovered that NSS incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

8 January 2020 | ubuntu-19.10, ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4232-1: GraphicsMagick vulnerabilities

It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.

8 January 2020 | ubuntu-16.04-lts