These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4262-1: OpenStack Keystone vulnerability

Daniel Preussker discovered that OpenStack Keystone incorrectly handled the list credentials API. A user with a role on the project could use this issue to view any other user’s credentials.

30 January 2020 | ubuntu-19.10

USN-4261-1: WebKitGTK+ vulnerabilities

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

29 January 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4259-1: Apache Solr vulnerability

Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code.

29 January 2020 | ubuntu-16.04-lts

USN-4254-2: Linux kernel (Xenial HWE) vulnerabilities

USN-4254-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics…

29 January 2020 | ubuntu-14.04-esm

USN-4258-1: Linux kernel vulnerabilities

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099) It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An…

29 January 2020 | ubuntu-18.04-lts

USN-4253-2: Linux kernel (HWE) vulnerability

USN-4253-1 fixed vulnerabilities in the Linux kernel for Ubuntu 19.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.10 for Ubuntu 18.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors….

28 January 2020 | ubuntu-18.04-lts

USN-4255-2: Linux kernel (HWE) vulnerabilities

USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics…

28 January 2020 | ubuntu-16.04-lts

USN-4257-1: OpenJDK vulnerabilities

It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An…

28 January 2020 | ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4236-3: Libgcrypt vulnerability

USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

28 January 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4256-1: Cyrus SASL vulnerability

It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service.

28 January 2020 | ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm