These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-4360-4: json-c vulnerability

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak that was reverted in USN-4360-2 and USN-4360-3. This update provides the correct fix update for CVE-2020-12762. Original advisory details: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to…

28 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4375-1: PHP vulnerability

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

27 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts, ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4374-1: Unbound vulnerabilities

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound incorrectly handled certain queries. A remote attacker could use this issue to perform an amplification attack directed at a target. (CVE-2020-12662) It was discovered that Unbound incorrectly handled certain malformed answers. A remote attacker could possibly use this issue…

27 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts

USN-4373-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12395) It was discovered that the Devtools’ ‘Copy as cURL’…

26 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4367-1: Linux kernel vulnerabilities

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the linux kernel did not…

24 May 2020 | ubuntu-20.04-lts

USN-4369-1: Linux kernel vulnerabilities

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) Tristan Madani discovered that the file locking…

24 May 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4370-2: ClamAV vulnerabilities

USN-4370-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service….

21 May 2020 | ubuntu-14.04-esm, ubuntu-12.04-esm

USN-4372-1: QEMU vulnerabilities

It was discovered that QEMU incorrectly handled bochs-display devices. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. This issue only affected Ubuntu 19.10. (CVE-2019-15034) It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote…

21 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts

USN-4371-1: libvirt vulnerabilities

It was discovered that libvirt incorrectly handled an active pool without a target path. A remote attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2020-10703) It was discovered that libvirt incorrectly handled memory when retrieving certain domain statistics. A remote attacker could possibly…

21 May 2020 | ubuntu-19.10, ubuntu-18.04-lts

USN-4370-1: ClamAV vulnerabilities

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting…

21 May 2020 | ubuntu-20.04-lts, ubuntu-19.10, ubuntu-18.04-lts, ubuntu-16.04-lts