These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4080-1: OpenJDK 8 vulnerabilities

Keegan Ryan discovered that the ECC implementation in OpenJDK was not sufficiently resilient to side-channel attacks. An attacker could possibly use this to expose sensitive information. (CVE-2019-2745) It was discovered that OpenJDK did not sufficiently validate serial streams before deserializing suppressed exceptions in some situations. An…

31 July 2019 | ubuntu-16.04-lts

USN-4079-1: SoX vulnerabilities

It was discovered that SoX incorrectly handled certain MP3 files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357)

30 July 2019 | ubuntu-16.04-lts

USN-4078-1: OpenLDAP vulnerabilities

It was discovered that OpenLDAP incorrectly handled rootDN delegation. A database administrator could use this issue to request authorization as an identity from another database, contrary to expectations. (CVE-2019-13057) It was discovered that OpenLDAP incorrectly handled SASL authentication and session encryption. After a first SASL bind was…

30 July 2019 | ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4077-1: tmpreaper vulnerability

It was discovered that tmpreaper incorrectly handled certain mount operations. A local attacker could possibly use this issue to create arbitrary files, leading to privilege escalation.

29 July 2019 | ubuntu-18.04-lts, ubuntu-16.04-lts

USN-3990-2: urllib3 vulnerability

USN-3990-1 fixed a vulnerability in urllib3. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-11236)

29 July 2019 | ubuntu-14.04-esm

USN-4076-1: Linux kernel vulnerabilities

It was discovered that a race condition existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2018-20836) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero…

25 July 2019 | ubuntu-16.04-lts

USN-4054-2: Firefox regressions

USN-4054-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. We apologize for the inconvenience. Original advisory details: A sandbox escape was discovered in Firefox. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain…

25 July 2019 | ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4075-1: Exim vulnerability

Jeremy Harris discovered that Exim incorrectly handled sort expansions. In environments where sort expansions are used, a remote attacker could possibly use this issue to execute arbitrary code as root.

25 July 2019 | ubuntu-19.04, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4074-1: VLC vulnerabilities

It was discovered that the VLC CAF demuxer incorrectly handled certain files. If a user were tricked into opening a specially-crafted CAF file, a remote attacker could use this issue to cause VLC to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19857) It was discovered that the VLC Matroska demuxer…

25 July 2019 | ubuntu-19.04, ubuntu-18.04-lts

USN-4073-1: libEBML vulnerability

It was discovered that libEBML incorrectly handled certain media files. If a user were tricked into opening a specially crafted media file, libEBML could possibly be made to crash, resulting in a denial of service.

25 July 2019 | ubuntu-18.04-lts, ubuntu-16.04-lts