Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 3 of 53   Next >
Show: All  

USN-2244-1: Libav vulnerability - 11th June 2014

It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

CVE-2014-3984

USN-2243-1: Firefox vulnerabilities - 11th June 2014

Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey, Jesse Ruderman, Gregor Wagner, Benoit Jacob and Karl Tomlinson discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit ...

CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1540 CVE-2014-1541 CVE-2014-1542 LP: 1326690

USN-2242-1: dpkg vulnerabilities - 10th June 2014

It was discovered that dpkg incorrectly handled certain patches when unpacking source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could modify files outside the target unpack directory, leading to a denial of service or potentially gaining access ...

CVE-2014-3864 CVE-2014-3865

USN-2214-2: libxml2 regression - 9th June 2014

USN-2214-1 fixed vulnerabilities in libxml2. The upstream fix introduced a regression when using xmllint with the --postvalid option. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or ...

LP: 1321869

USN-2241-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the Linux kernel virtual machine's (kvm) validation of interrupt requests (irq). A guest ...

CVE-2014-0155 CVE-2014-2568 CVE-2014-3122 CVE-2014-3153

USN-2240-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) An information leak was discovered in the netfilter subsystem of the Linux kernel. An attacker could exploit this ...

CVE-2014-2568 CVE-2014-3122 CVE-2014-3153

USN-2239-1: Linux kernel (Saucy HWE) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the Linux kernel virtual machine's (kvm) validation of interrupt requests (irq). A guest ...

CVE-2014-0155 CVE-2014-2568 CVE-2014-3122 CVE-2014-3153

USN-2238-1: Linux kernel (Raring HWE) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the Linux kernel's IPC reference counting. An unprivileged local user could exploit this ...

CVE-2013-4483 CVE-2014-3153

USN-2237-1: Linux kernel (Quantal HWE) vulnerability - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges.

CVE-2014-3153

USN-2236-1: Linux kernel (OMAP4) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this ...

CVE-2014-0055 CVE-2014-3122 CVE-2014-3153

USN-2235-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this ...

CVE-2014-0055 CVE-2014-3122 CVE-2014-3153

USN-2234-1: Linux kernel (EC2) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) Dmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP Fragmentation Offload (UFO) processing. A ...

CVE-2013-4387 CVE-2013-4470 CVE-2013-4483 CVE-2014-1438 CVE-2014-3122 CVE-2014-3153

USN-2233-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) Dmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP Fragmentation Offload (UFO) processing. A ...

CVE-2013-4387 CVE-2013-4470 CVE-2013-4483 CVE-2014-1438 CVE-2014-3122 CVE-2014-3153

USN-2232-1: OpenSSL vulnerabilities - 5th June 2014

Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS fragments. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0195) Imre Rad discovered ...

CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

USN-2230-1: chkrootkit vulnerability - 4th June 2014

Thomas Stangner discovered that chkrootkit incorrectly quoted certain values. A local attacker could use this issue to execute arbitrary code when chkrootkit is run and gain root privileges.

CVE-2014-0476

USN-2229-1: GnuTLS vulnerability - 2nd June 2014

Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3466

USN-2228-1: Linux kernel vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0100 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2673 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2227-1: Linux kernel (OMAP4) vulnerabilities - 27th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges. (CVE-2014-0196) Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged ...

CVE-2013-4483 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-0196 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2226-1: Linux kernel vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0077 CVE-2014-1737 CVE-2014-1738 CVE-2014-2580 CVE-2014-2851

USN-2225-1: Linux kernel (Saucy HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0100 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2673 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2224-1: Linux kernel (Raring HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851 CVE-2014-3122

USN-2223-1: Linux kernel (Quantal HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-4483 CVE-2014-0055 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851 CVE-2014-3122

USN-2222-1: mod_wsgi vulnerabilities - 26th May 2014

Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode. (CVE-2014-0240) Buck Golemon discovered that mod_wsgi used memory that had been freed. A remote attacker could use this issue to read process memory via ...

CVE-2014-0240 CVE-2014-0242

USN-2221-1: Linux kernel vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-4483 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2220-1: Linux kernel (EC2) vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-7339 CVE-2014-1737 CVE-2014-1738 CVE-2014-2678

USN-2219-1: Linux kernel vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-7339 CVE-2014-1737 CVE-2014-1738 CVE-2014-2678

USN-2218-1: Xalan-Java vulnerability - 21st May 2014

Nicolas Gregoire discovered that Xalan-Java incorrectly handled certain properties when the secure processing feature was enabled. An attacker could possibly use this issue to load arbitrary classes or access external resources.

CVE-2014-0107

USN-2217-1: lxml vulnerability - 21st May 2014

It was discovered that the lxml.html.clean module incorrectly stripped control characters. An attacked could potentially exploit this to conduct cross-site scripting (XSS) attacks.

CVE-2014-3146

USN-2216-1: Pidgin vulnerability - 21st May 2014

It was discovered that Pidgin incorrectly handled certain messages from Gadu-Gadu file relay servers. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3775

USN-2215-1: libgadu vulnerability - 21st May 2014

It was discovered that libgadu incorrectly handled certain messages from file relay servers. A malicious remote server or a man in the middle could use this issue to cause applications using libgadu to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3775

USN-2214-1: libxml2 vulnerability - 15th May 2014

Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.

CVE-2014-0191

USN-2213-1: Dovecot vulnerability - 15th May 2014

It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. A remote attacker could use this issue to cause Dovecot to stop responding to new connections, resulting in a denial of service.

CVE-2014-3430

USN-2212-1: Django vulnerabilities - 14th May 2014

Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds ...

CVE-2014-1418

USN-2211-1: libXfont vulnerabilities - 14th May 2014

Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges. (CVE-2014-0209) Ilja van Sprundel discovered that libXfont incorrectly handled X Font Server replies. A malicious font ...

CVE-2014-0209 CVE-2014-0210 CVE-2014-0211

USN-2210-1: cups-filters vulnerability - 8th May 2014

Sebastian Krahmer discovered that cups-browsed incorrectly filtered remote printer names and strings. A remote attacker could use this issue to possibly execute arbitrary commands. (CVE-2014-2707) Johannes Meixner discovered that cups-browsed ignored invalid BrowseAllow directives. This could cause it to accept browse packets from all hosts, contrary to intended configuration.

CVE-2014-2707

USN-2209-1: libvirt vulnerabilities - 7th May 2014

It was discovered that libvirt incorrectly handled symlinks when using the LXC driver. An attacker could possibly use this issue to delete host devices, create arbitrary nodes, and shutdown or power off the host. (CVE-2013-6456) Marian Krcmarik discovered that libvirt incorrectly handled seamless SPICE migrations. An attacker could possibly use ...

CVE-2013-6456 CVE-2013-7336

USN-2208-2: OpenStack Quantum vulnerability - 6th May 2014

USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides the corresponding updates for OpenStack Quantum. Original advisory details: JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to ...

CVE-2013-6491

USN-2208-1: OpenStack Cinder vulnerability - 6th May 2014

JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Ubuntu does not use QPid ...

CVE-2013-6491

USN-2207-1: OpenStack Swift vulnerability - 6th May 2014

Samuel Merritt discovered a timing attack vulnerability in OpenStack Swift. If Swift was configured to use the TempURL middleware, an attacker could exploit this to guess valid secret URLs and obtain unintended access to objects publicly shared with specific recipients.

CVE-2014-0006

USN-2206-1: OpenStack Horizon vulnerability - 6th May 2014

Cristian Fiorentino discovered that OpenStack Horizon did not properly perform input sanitization for Heat templates. If a user were tricked into using a specially crafted Heat template, an attacker could conduct cross-site scripting attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted ...

CVE-2014-0157

USN-2205-1: LibTIFF vulnerabilities - 6th May 2014

Pedro Ribeiro discovered that LibTIFF incorrectly handled certain malformed images when using the gif2tiff tool. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user ...

CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244

USN-2204-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2203-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2202-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2201-1: Linux kernel (Saucy HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2200-1: Linux kernel (Raring HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2199-1: Linux kernel (Quantal HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2198-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2197-1: Linux kernel (EC2) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2196-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

< Previous   Showing page 3 of 53   Next >
Show: All