These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4422-1: WebKitGTK+ vulnerabilities

A large number of security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

14 July 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts

USN-4376-2: OpenSSL vulnerabilities

USN-4376-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Cesar Pereida GarcĂ­a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA…

9 July 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4421-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbtirary code. (CVE-2020-12405, CVE-2020-12406, CVE-2020-12410, CVE-2020-12417,…

8 July 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4420-1: Cinder and os-brick vulnerability

David Hill and Eric Harney discovered that Cinder and os-brick incorrectly handled ScaleIO backend credentials. An attacker could possibly use this issue to expose sensitive information.

7 July 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts

USN-4419-1: Linux kernel vulnerabilities

It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690) Matthew Sheets discovered that the SELinux…

6 July 2020 | ubuntu-16.04-lts, ubuntu-14.04-esm

USN-4414-1: Linux kernel vulnerabilities

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly…

6 July 2020 | ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm

USN-4417-2: NSS vulnerability

USN-4417-1 fixed a vulnerability in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Cesar Pereida, Billy Bob Brumley, Yuval Yarom, and Nicola Tuveri discovered that NSS incorrectly handled RSA key generation. A local attacker could possibly use this issue to perform a…

6 July 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4412-1: Linux kernel vulnerabilities

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711) It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle…

6 July 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4411-1: Linux kernel vulnerabilities

It was discovered that the elf handling code in the Linux kernel did not initialize memory before using it in certain situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2020-10732) Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be…

6 July 2020 | ubuntu-20.04-lts

USN-4418-1: OpenEXR vulnerabilities

It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code.

6 July 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts