These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-3930-2: Linux kernel (HWE) vulnerabilities

USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS. Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically…

2 April 2019 | ubuntu-18.04-lts

USN-3930-1: Linux kernel vulnerabilities

Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation…

2 April 2019 | ubuntu-18.10

USN-3929-1: Firebird vulnerabilities

It was discovered that Firebird incorrectly handled certain malformed packets. A remote attacker could possibly use this issue with a specially crafted network packet to cause Firebird to crash, resulting in a denial of service. (CVE-2014-9323) It was discovered that Firebird incorrectly handled certain UDF libraries. A remote attacker could…

2 April 2019 | ubuntu-14.04-lts

USN-3928-1: Dovecot vulnerability

It was discovered that Dovecot incorrectly handled reading certain headers from the index. A local attacker could possibly use this issue to escalate privileges.

1 April 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3926-1: GPAC vulnerabilities

It was discovered that the GPAC MP4Box utility incorrectly handled certain memory operations. If an user or automated system were tricked into opening a specially crafted MP4 file, a remote attacker could use this issue to cause MP4Box to crash, resulting in a denial of service, or possibly execute arbitrary code.

29 March 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-3927-1: Thunderbird vulnerabilities

It was discovered that Thunderbird allowed PAC files to specify that requests to localhost are sent through the proxy to another server. If proxy auto-detection is enabled, an attacker could potentially exploit this to conduct attacks on local services and tools. (CVE-2018-18506) Multiple security issues were discovered in Thunderbird. If a user…

28 March 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3918-3: Firefox regression

USN-3918-1 fixed vulnerabilities in Firefox. The update caused web compatibility issues with some websites. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could …

28 March 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3925-1: FreeImage vulnerability

It was discovered that an out-of-bounds write vulnerability existed in the XMP image handling functionality of the FreeImage library. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could overwrite arbitrary memory, resulting in code execution.

28 March 2019 | ubuntu-16.04-lts, ubuntu-14.04-lts

USN-3924-1: mod_auth_mellon vulnerabilities

It was discovered that mod_auth_mellon incorrectly handled certain requests. An attacker could possibly use this issue to redirect a user to a malicious URL. (CVE-2019-3877) It was discovered that mod_auth_mellon incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2019-3878)

28 March 2019 | ubuntu-18.10, ubuntu-18.04-lts

USN-3923-1: QEMU vulnerabilities

Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read or write arbitrary files and cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. (CVE-2018-16867) Michael Hanselmann discovered that QEMU…

27 March 2019 | ubuntu-18.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-lts