These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4561-1: Rack vulnerabilities

It was discovered that Rack incorrectly handled certain paths. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-8161) It was discovered that Rack incorrectly validated cookies. An attacker could possibly use this issue to forge a secure cookie. (CVE-2020-8184)

30 September 2020 | ubuntu-18.04-lts

USN-4560-1: Gon gem vulnerability

It was discovered that Gon gem did not properly escape certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack.

30 September 2020 | ubuntu-18.04-lts

USN-4559-1: Samba update

Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. While a previous security update fixed the issue by changing the "server schannel" setting to default to…

30 September 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4558-1: libapreq2 vulnerabilities

It was discovered that libapreq2 did not properly sanitize the Content-Type field in certain, crafted HTTP requests. An attacker could use this vulnerability to cause libapreq2 to crash.

30 September 2020 | ubuntu-18.04-lts

USN-4557-1: Tomcat vulnerabilities

It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn’t exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application…

30 September 2020 | ubuntu-16.04-lts

USN-4556-1: netqmail vulnerabilities

It was discovered that netqmail did not properly handle certain input. Both remote and local attackers could use this vulnerability to cause netqmail to crash or execute arbitrary code. (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515) It was discovered that netqmail did not properly handle certain input when validating email addresses. An attacker…

29 September 2020 | ubuntu-20.04-lts

USN-4547-2: SSVNC vulnerabilities

It was discovered that the LibVNCClient vendored in SSVNC incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-2024)

28 September 2020 | ubuntu-16.04-lts

USN-4554-1: libPGF vulnerability

It was discovered that libPGF lacked proper validation when opening a specially crafted PGF file. An attacker could possibly use this issue to cause a denial of service.

28 September 2020 | ubuntu-16.04-lts

USN-4552-1: Pam-python vulnerability

Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root.

28 September 2020 | ubuntu-18.04-lts

USN-4553-1: Teeworlds vulnerability

It was discovered that Teeworlds server did not properly handler certain network traffic. A remote, unauthenticated attacker could use this vulnerability to cause Teeworlds server to crash.

28 September 2020 | ubuntu-20.04-lts