USNs for ubuntu 18.10

USN-3819-1: Linux kernel vulnerability

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

14 November 2018

USN-3818-1: PostgreSQL vulnerability

It was discovered that PostgreSQL incorrectly handled certain trigger definitions when running pg_upgrade or pg_dump. A remote attacker could possibly use this issue to execute arbitrary SQL statements with superuser privileges.

14 November 2018

USN-3816-1: systemd vulnerabilities

Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. (CVE-2018-15686) Jann Horn discovered a race condition in chown_one(). A local attacker could potentially…

12 November 2018

USN-3815-1: gettext vulnerability

It was discovered that gettext incorrectly handled certain messages. An attacker could possibly use this issue to execute arbitrary code.

12 November 2018

USN-3814-1: libmspack vulnerabilities

It was discovered libmspack incorrectly handled certain malformed CAB files. A remote attacker could use this issue to cause libmspack to crash, resulting in a denial of service. (CVE-2018-18584, CVE-2018-18585)

12 November 2018

USN-3812-1: nginx vulnerabilities

It was discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16843) Gal Goldshtein discovered that nginx incorrectly handled…

7 November 2018

USN-3808-1: Ruby vulnerabilities

It was discovered that Ruby incorrectly handled certain X.509 certificates. An attacker could possibly use this issue to bypass the certificate check. (CVE-2018-16395) It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-16396)

5 November 2018

USN-3807-1: NetworkManager vulnerability

Felix Wilhelm discovered that the NetworkManager internal DHCPv6 client incorrectly handled certain DHCPv6 messages. In non-default configurations where the internal DHCP client is enabled, an attacker on the same network could use this issue to cause NetworkManager to crash, resulting in a denial of service, or possibly execute arbitrary code.

5 November 2018

USN-3806-1: systemd vulnerability

Felix Wilhelm discovered that the systemd-networkd DHCPv6 client incorrectly handled certain DHCPv6 messages. In configurations where systemd-networkd is being used, an attacker on the same network could use this issue to cause systemd-networkd to crash, resulting in a denial of service, or possibly execute arbitrary code.

5 November 2018

USN-3805-1: curl vulnerabilities

Harry Sintonen discovered that curl incorrectly handled SASL authentication. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-16839) Brian Carpenter discovered that curl incorrectly handled memory when closing certain handles. A remote attacker could use…

31 October 2018

USN-3804-1: OpenJDK vulnerabilities

It was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3136) Artem Smotrakov discovered that the HTTP client redirection…

30 October 2018

USN-3803-1: Ghostscript vulnerabilities

Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

30 October 2018

USN-3802-1: X.Org X server vulnerability

Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.

26 October 2018

USN-3801-1: Firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass CSP restrictions, spoof the protocol registration notification bar, leak SameSite cookies, bypass mixed content warnings, or execute arbitrary code….

24 October 2018

USN-3799-1: MySQL vulnerabilities

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.62 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to MySQL 5.7.24. In addition to security fixes, the updated packages contain bug fixes,…

23 October 2018

USN-3788-2: Tex Live-bin vulnerability

USN-3788-1 fixed vulnerabilities in Tex Live. This update provides the corresponding update for Ubuntu 18.10 Original advisory details: It was discovered that Tex Live incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-17407)

23 October 2018

USN-3790-2: Requests vulnerability

USN-3790-1 fixed vulnerabilities in Requests. This update provides the corresponding update for Ubuntu 18.10 Original advisory details: It was discovered that Requests incorrectly handled certain HTTP headers. An attacker could possibly use this issue to access sensitive information.

22 October 2018

USN-3796-3: Paramiko vulnerability

USN-3796-1 fixed a vulnerability in Paramiko. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: Daniel Hoffman discovered that Paramiko incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.

22 October 2018

USN-3795-2: libssh vulnerability

USN-3795-1 fixed a vulnerability in libssh. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: Peter Winter-Smith discovered that libssh incorrectly handled authentication when being used as a server. A remote attacker could use this issue to bypass authentication without any credentials.

22 October 2018

USN-3792-3: Net-SNMP vulnerability

USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the corresponding update for Ubuntu 18.10. Original advisory details: It was discovered that Net-SNMP incorrectly handled certain certain crafted packets. A remote attacker could possibly use this issue to cause Net-SNMP to crash, resulting in a denial of service.

22 October 2018