These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3754-1: Linux kernel vulnerabilities

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) It was discovered that an information disclosure vulnerability existed in the…

24 August 2018 | ubuntu-14.04-lts

USN-3753-1: Linux kernel vulnerabilities

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168) Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the…

24 August 2018 | ubuntu-16.04-lts

USN-3752-1: Linux kernel vulnerabilities

It was discovered that, when attempting to handle an out-of-memory situation, a null pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not…

24 August 2018 | ubuntu-18.04-lts

USN-3751-1: Spice vulnerability

It was discovered that Spice incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service.

22 August 2018 | ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3750-1: Pango vulnerability

Jeffrey M. discovered that Pango incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

22 August 2018 | ubuntu-18.04-lts

USN-3749-1: Spidermonkey vulnerabilities

Multiple memory safety issues were fixed in Spidermonkey. An attacker could potentially exploit these to cause a denial of service, or execute arbitrary code.

22 August 2018 | ubuntu-18.04-lts

USN-3748-1: base-files vulnerability

Sander Bos discovered that the MOTD update script incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled.

21 August 2018 | ubuntu-18.04-lts

USN-3747-1: OpenJDK 10 vulnerabilities

It was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826) It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker…

21 August 2018 | ubuntu-18.04-lts

USN-3742-3: Linux kernel (Trusty HWE) regressions

USN-3742-2 introduced mitigations in the Linux Hardware Enablement (HWE) kernel for Ubuntu 12.04 ESM to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting….

21 August 2018 | ubuntu-12.04-esm

USN-3746-1: APT vulnerability

It was discovered that APT incorrectly handled the mirror method (mirror://). If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages in environments configured to use mirror:// entries.

20 August 2018 | ubuntu-18.04-lts