These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4571-1: rack-cors vulnerability

It was discovered that rack-cors did not properly handle relative file paths. An attacker could use this vulnerability to access arbitrary files.

5 October 2020 | ubuntu-16.04-lts

USN-4564-1: Apache Tika vulnerabilities

It was discovered that Apache Tika can have an excessive memory usage by using a crafted or corrupt PSD file. An attacker could use it to cause a denial of service (crash). (CVE-2020-1950, CVE-2020-1951)

5 October 2020 | ubuntu-16.04-lts

USN-4566-1: Cyrus IMAP Server vulnerabilities

It was dicovered that Cyrus IMAP Server could execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name. An attacker could use this vulnerability to cause a crash or possibly execute arbitrary code. (CVE-2019-11356) It was discovered that the Cyrus IMAP Server allow users to create any mailbox with…

5 October 2020 | ubuntu-18.04-lts

USN-4570-1: urllib3 vulnerability

It was discovered that urllib3 incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection.

5 October 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4567-1: OpenDMARC vulnerability

It was discovered that OpenDMARC is prone to a signature-bypass vulnerability with multiple "From:" addresses. An attacker could use it to bypass spam and abuse filters.

5 October 2020 | ubuntu-18.04-lts

USN-4569-1: Yaws vulnerabilities

It was discovered that Yaws did not properly sanitize XML input. A remote attacker could use this vulnerability to execute an XML External Entity (XXE) injection attack. (CVE-2020-24379) It was discovered that Yaws mishandled certain input when running CGI scripts. A remote attacker could use this vulnerability to execute arbitrary commands….

5 October 2020 | ubuntu-18.04-lts

USN-4565-1: OpenConnect vulnerability

It was discovered that OpenConnect has a buffer overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes. An attacker could use it to provoke a denial of service (crash).

5 October 2020 | ubuntu-18.04-lts

USN-4568-1: Brotli vulnerability

It was discovered that Brotli incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash.

5 October 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4563-1: NTP vulnerability

It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash).

1 October 2020 | ubuntu-18.04-lts

USN-4562-1: kramdown vulnerability

It was discovered that kramdown insecurely handled certain crafted input. An attacker could use this vulnerability to read restricted files or execute arbitrary code.

30 September 2020 | ubuntu-20.04-lts