These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4501-1: LuaJIT vulnerability

It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890)

15 September 2020 | ubuntu-16.04-lts

USN-4500-1: bsdiff vulnerabilities

It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code.

15 September 2020 | ubuntu-16.04-lts

USN-4498-1: Loofah vulnerability

It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587)

15 September 2020 | ubuntu-16.04-lts

USN-4499-1: MilkyTracker vulnerabilities

It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code.

15 September 2020 | ubuntu-16.04-lts

USN-4497-1: OpenJPEG vulnerabilities

It was discovered that OpenJPEG incorrectly handled certain image files. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-9112) It was discovered that OpenJPEG did not properly handle certain input. If OpenJPEG were supplied with specially crafted input, it could be made to crash or potentially execute…

15 September 2020 | ubuntu-16.04-lts

USN-4496-1: Apache XML-RPC vulnerability

It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570)

15 September 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4495-1: Apache Log4j vulnerability

It was discovered that Apache Log4j does not properly deserialize untrusted data. An attacker could possibly use this issue to remotely execute arbitrary code. (CVE-2019-17571)

15 September 2020 | ubuntu-18.04-lts

USN-4494-1: GUPnP vulnerability

It was discovered that GUPnP incorrectly handled certain subscription requests. A remote attacker could possibly use this issue to exfiltrate data or use GUPnP to perform DDoS attacks.

15 September 2020 | ubuntu-20.04-lts

USN-4493-1: cryptsetup vulnerability

It was discovered that cryptsetup incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

14 September 2020 | ubuntu-20.04-lts

LSN-0071-1: Kernel Live Patch Security Notice

Several security issues were fixed in the kernel.

10 September 2020 | ubuntu-18.04-lts