These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4465-1: linux kernel vulnerabilities

It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655) It was discovered that the bcache subsystem in the Linux kernel did…

23 August 2020 | ubuntu-18.04-lts

USN-4468-1: Bind vulnerabilities

Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain…

21 August 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4466-2: curl vulnerability

USN-4466-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information.

20 August 2020 | ubuntu-14.04-esm

USN-4467-1: QEMU vulnerabilities

Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP echo requests. An attacker inside a guest could possibly use this issue to leak host memory to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-10756) Eric Blake and Xueqiang Wei…

19 August 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4466-1: curl vulnerability

Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information.

19 August 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4464-1: GNOME Shell vulnerability

It was discovered that GNOME Shell incorrectly handled the login screen password dialog. Sensitive information could possibly be exposed during user logout.

18 August 2020 | ubuntu-20.04-lts

USN-4463-1: Linux kernel vulnerabilities

It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A…

18 August 2020 | ubuntu-16.04-lts, ubuntu-14.04-esm

USN-4462-1: Linux kernel vulnerability

It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service.

18 August 2020 | ubuntu-18.04-lts

USN-4461-1: Ark vulnerability

Dominik Penner discovered that Ark did not properly sanitize zip archive files before performing extraction. An attacker could use this to construct a malicious zip archive that, when opened, would create files outside the extraction directory.

18 August 2020 | ubuntu-20.04-lts, ubuntu-18.04-lts

USN-4460-1: Oniguruma vulnerabilities

It was discovered that Oniguruma incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or other unspecified impact. (CVE-2019-16163, CVE-2019-19012, CVE-2019-19204, CVE-2019-19246)

17 August 2020 | ubuntu-14.04-esm