Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 2 of 65   Next >
Show: All  

USN-2853-1: Linux kernel (Wily HWE) vulnerabilities - 20th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2852-1: Linux kernel (Raspberry Pi 2) vulnerability - 19th December 2015

Jann Horn discovered a ptrace issue with user namespaces in the Linux kernel. The namespace owner could potentially exploit this flaw by ptracing a root owned process entering the user namespace to elevate its privileges and potentially gain access outside of the namespace. (http://bugs.launchpad.net/bugs/1527374, CVE-2015-8709)

CVE-2015-8709

USN-2851-1: Linux kernel vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2850-1: Linux kernel vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2849-1: Linux kernel (Utopic HWE) vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2848-1: Linux kernel vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2847-1: Linux kernel (Trusty HWE) vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8709

USN-2846-1: Linux kernel vulnerabilities - 19th December 2015

Felix Wilhelm discovered a race condition in the Xen paravirtualized drivers which can cause double fetch vulnerabilities. An attacker in the paravirtualized guest could exploit this flaw to cause a denial of service (crash the host) or potentially execute arbitrary code on the host. (CVE-2015-8550) Konrad Rzeszutek Wilk discovered the ...

CVE-2015-8550 CVE-2015-8551 CVE-2015-8552

USN-2845-1: SoS vulnerabilities - 17th December 2015

Dolev Farhi discovered an information disclosure issue in SoS. If the /etc/fstab file contained passwords, the passwords were included in the SoS report. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-3925) Mateusz Guzik discovered that SoS incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite ...

CVE-2014-3925 CVE-2015-7529

USN-2840-2: Linux kernel (OMAP4) vulnerability - 17th December 2015

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash).

CVE-2015-7872

USN-2843-3: Linux kernel (Raspberry Pi 2) vulnerabilities - 17th December 2015

郭永刚 discovered that the ppp implementation in the Linux kernel did not ensure that certain slot numbers are valid. A local attacker with the privilege to call ioctl() on /dev/ppp could cause a denial of service (system crash). (CVE-2015-7799) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to ...

CVE-2015-7799 CVE-2015-7872 CVE-2015-7884 CVE-2015-7885

USN-2843-2: Linux kernel (Wily HWE) vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7872 CVE-2015-7884 CVE-2015-7885 CVE-2015-8104

USN-2844-1: Linux kernel (Utopic HWE) vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7885 CVE-2015-8104

USN-2843-1: Linux kernel vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7872 CVE-2015-7884 CVE-2015-7885 CVE-2015-8104

USN-2842-2: Linux kernel (Vivid HWE) vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7884 CVE-2015-7885 CVE-2015-8104

USN-2842-1: Linux kernel vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7884 CVE-2015-7885 CVE-2015-8104

USN-2841-2: Linux kernel (Trusty HWE) vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7885 CVE-2015-8104

USN-2841-1: Linux kernel vulnerabilities - 17th December 2015

Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug exceptions on AMD processors. An attacker in a guest virtual machine could use this to cause a denial of service (system crash) in the host OS. (CVE-2015-8104) 郭永刚 discovered that the ppp ...

CVE-2015-7799 CVE-2015-7885 CVE-2015-8104

USN-2840-1: Linux kernel vulnerabilities - 17th December 2015

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872) Jan Beulich discovered that the KVM svm hypervisor implementation in the Linux kernel did not properly catch Debug ...

CVE-2015-7872 CVE-2015-8104

USN-2839-1: CUPS update - 16th December 2015

As a security improvement against the POODLE attack, this update disables SSLv3 support in the CUPS web interface. For legacy environments where SSLv3 support is still required, it can be re-enabled by adding "SSLOptions AllowSSL3" to /etc/cups/cupsd.conf.

LP: 1505328

USN-2838-2: foomatic-filters vulnerability - 16th December 2015

Adam Chester discovered that the foomatic-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.

CVE-2015-8560

USN-2838-1: cups-filters vulnerability - 16th December 2015

Adam Chester discovered that the cups-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.

CVE-2015-8560

USN-2833-1: Firefox vulnerabilities - 15th December 2015

Andrei Vaida, Jesse Ruderman, Bob Clary, Christian Holler, Jesse Ruderman, Eric Rahm, Robert Kaiser, Harald Kirschner, and Michael Henretty discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service ...

CVE-2015-7201 CVE-2015-7202 CVE-2015-7203 CVE-2015-7204 CVE-2015-7205 CVE-2015-7207 CVE-2015-7208 CVE-2015-7210 CVE-2015-7211 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7215 CVE-2015-7216 CVE-2015-7217 CVE-2015-7218 CVE-2015-7219 CVE-2015-7220 CVE-2015-7221 CVE-2015-7222 CVE-2015-7223

USN-2837-1: Bind vulnerability - 15th December 2015

It was discovered that Bind incorrectly handled responses with malformed class attributes. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service.

CVE-2015-8000

USN-2836-1: GRUB vulnerability - 15th December 2015

Hector Marco and Ismael Ripoll discovered that GRUB incorrectly handled the backspace key when configured to use authentication. A local attacker could use this issue to bypass GRUB password protection.

CVE-2015-8370

USN-2835-1: Git vulnerability - 15th December 2015

Blake Burkhart discovered that the Git git-remote-ext helper incorrectly handled recursive clones of git repositories. A remote attacker could possibly use this issue to execute arbitrary code by injecting commands via crafted URLs.

CVE-2015-7545

USN-2834-1: libxml2 vulnerabilities - 14th December 2015

Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. (CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499,CVE-2015-7500) Hugh Davenport discovered that libxml2 incorrectly handled certain ...

CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317

USN-2825-1: Oxide vulnerabilities - 10th December 2015

Multiple use-after-free bugs were discovered in the application cache implementation in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking ...

CVE-2015-6765 CVE-2015-6766 CVE-2015-6767 CVE-2015-6768 CVE-2015-6769 CVE-2015-6770 CVE-2015-6771 CVE-2015-6772 CVE-2015-6773 CVE-2015-6777 CVE-2015-6782 CVE-2015-6784 CVE-2015-6785 CVE-2015-6786 CVE-2015-6787 CVE-2015-8478

USN-2832-1: libsndfile vulnerabilities - 7th December 2015

It was discovered that libsndfile incorrectly handled memory when parsing malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9496) Joshua Rogers discovered that libsndfile incorrectly handled ...

CVE-2014-9496 CVE-2014-9756 CVE-2015-7805

USN-2831-2: foomatic-filters vulnerability - 7th December 2015

Michal Kowalczyk discovered that the foomatic-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.

CVE-2015-8327

USN-2831-1: cups-filters vulnerability - 7th December 2015

Michal Kowalczyk discovered that the cups-filters foomatic-rip filter incorrectly stripped shell escape characters. A remote attacker could possibly use this issue to execute arbitrary code as the lp user.

CVE-2015-8327

USN-2830-1: OpenSSL vulnerabilities - 7th December 2015

Guy Leaver discovered that OpenSSL incorrectly handled a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. (CVE-2015-1794) Hanno ...

CVE-2015-1794 CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196

USN-2829-2: Linux kernel (Vivid HWE) vulnerabilities - 4th December 2015

It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-5283) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. ...

CVE-2015-5283 CVE-2015-7872

USN-2829-1: Linux kernel vulnerabilities - 4th December 2015

It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-5283) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. ...

CVE-2015-5283 CVE-2015-7872

USN-2828-1: QEMU vulnerabilities - 3rd December 2015

Jason Wang discovered that QEMU incorrectly handled the virtio-net device. A remote attacker could use this issue to cause guest network consumption, resulting in a denial of service. (CVE-2015-7295) Qinghao Tang and Ling Liu discovered that QEMU incorrectly handled the pcnet driver when used in loopback mode. A malicious guest ...

CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345

USN-2827-1: OpenJDK 6 vulnerabilities - 3rd December 2015

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883) A vulnerability was discovered in the OpenJDK JRE related ...

CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911

USN-2826-1: Linux kernel (Trusty HWE) vulnerabilities - 3rd December 2015

It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-5283) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. ...

CVE-2015-5283 CVE-2015-7872

USN-2824-1: Linux kernel (Utopic HWE) vulnerability - 1st December 2015

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash).

CVE-2015-7872

USN-2823-1: Linux kernel vulnerabilities - 1st December 2015

It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-5283) Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted to garbage collect incompletely instantiated keys. ...

CVE-2015-5283 CVE-2015-7872

USN-2819-1: Thunderbird vulnerabilities - 1st December 2015

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial ...

CVE-2015-4513 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200

USN-2821-1: GnuTLS vulnerability - 30th November 2015

It was discovered that GnuTLS incorrectly validated the first byte of padding in CBC modes. A remote attacker could possibly use this issue to perform a padding oracle attack.

LP: 1510163

USN-2820-1: dpkg vulnerability - 26th November 2015

Hanno Boeck discovered that the dpkg-deb tool incorrectly handled certain old style Debian binary packages. If a user or an automated system were tricked into unpacking a specially crafted binary package, a remote attacker could possibly use this issue to execute arbitrary code.

CVE-2015-0860

USN-2818-1: OpenJDK 7 vulnerability - 25th November 2015

It was discovered that rebinding of the receiver of a DirectMethodHandle may allow a protected method to be accessed. Am attacker could use this to expose sensitive information or possibly execute arbitrary code.

CVE-2015-4871

USN-2817-1: IcedTea Web vulnerabilities - 24th November 2015

It was discovered that IcedTea Web incorrectly handled applet URLs. A remote attacker could possibly use this issue to inject applets into the .appletTrustSettings configuration file and bypass user approval. (CVE-2015-5234) Andrea Palazzo discovered that IcedTea Web incorrectly determined the origin of unsigned applets. A remote attacker could possibly use ...

CVE-2015-5234 CVE-2015-5235

USN-2816-1: Django vulnerability - 24th November 2015

Ryan Butterfield discovered that Django incorrectly handled the date template filter. A remote attacker could possibly use this issue to obtain secrets from application settings.

CVE-2015-8213

USN-2815-1: libpng vulnerabilities - 19th November 2015

Mikulas Patocka discovered that libpng incorrectly handled certain large fields. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could exploit this to cause libpng to crash, leading to a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-3425) ...

CVE-2012-3425 CVE-2015-7981 CVE-2015-8126

USN-2814-1: NVIDIA graphics drivers vulnerability - 18th November 2015

It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges.

CVE-2015-7869

USN-2813-1: LXCFS vulnerabilities - 17th November 2015

It was discovered that LXCFS incorrectly enforced directory escapes. A local attacker could use this issue to possibly escalate privileges. (CVE-2015-1342) It was discovered that LXCFS incorrectly checked certain permissions. A local attacker could use this issue t possibly escalate privileges. (CVE-2015-1344)

CVE-2015-1342 CVE-2015-1344

USN-2812-1: libxml2 vulnerabilities - 16th November 2015

Florian Weimer discovered that libxml2 incorrectly handled certain XML data. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. ...

CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035

USN-2811-1: strongSwan vulnerability - 16th November 2015

It was discovered that the strongSwan eap-mschapv2 plugin incorrectly handled state. A remote attacker could use this issue to bypass authentication.

CVE-2015-8023

< Previous   Showing page 2 of 65   Next >
Show: All