Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 3 of 52   Next >
Show: All  

USN-2236-1: Linux kernel (OMAP4) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this ...

CVE-2014-0055 CVE-2014-3122 CVE-2014-3153

USN-2235-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) A flaw was discovered in the vhost-net subsystem of the Linux kernel. Guest OS users could exploit this ...

CVE-2014-0055 CVE-2014-3122 CVE-2014-3153

USN-2234-1: Linux kernel (EC2) vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) Dmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP Fragmentation Offload (UFO) processing. A ...

CVE-2013-4387 CVE-2013-4470 CVE-2013-4483 CVE-2014-1438 CVE-2014-3122 CVE-2014-3153

USN-2233-1: Linux kernel vulnerabilities - 5th June 2014

Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges. (CVE-2014-3153) Dmitry Vyukov reported a flaw in the Linux kernel's handling of IPv6 UDP Fragmentation Offload (UFO) processing. A ...

CVE-2013-4387 CVE-2013-4470 CVE-2013-4483 CVE-2014-1438 CVE-2014-3122 CVE-2014-3153

USN-2232-1: OpenSSL vulnerabilities - 5th June 2014

Jüri Aedla discovered that OpenSSL incorrectly handled invalid DTLS fragments. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. (CVE-2014-0195) Imre Rad discovered ...

CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

USN-2230-1: chkrootkit vulnerability - 4th June 2014

Thomas Stangner discovered that chkrootkit incorrectly quoted certain values. A local attacker could use this issue to execute arbitrary code when chkrootkit is run and gain root privileges.

CVE-2014-0476

USN-2229-1: GnuTLS vulnerability - 2nd June 2014

Joonas Kuorilehto discovered that GnuTLS incorrectly handled Server Hello messages. A malicious remote server or a man in the middle could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3466

USN-2228-1: Linux kernel vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0100 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2673 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2227-1: Linux kernel (OMAP4) vulnerabilities - 27th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges. (CVE-2014-0196) Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged ...

CVE-2013-4483 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-0196 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2226-1: Linux kernel vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0077 CVE-2014-1737 CVE-2014-1738 CVE-2014-2580 CVE-2014-2851

USN-2225-1: Linux kernel (Saucy HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0100 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2673 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2224-1: Linux kernel (Raring HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2014-0055 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851 CVE-2014-3122

USN-2223-1: Linux kernel (Quantal HWE) vulnerabilities - 27th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-4483 CVE-2014-0055 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851 CVE-2014-3122

USN-2222-1: mod_wsgi vulnerabilities - 26th May 2014

Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode. (CVE-2014-0240) Buck Golemon discovered that mod_wsgi used memory that had been freed. A remote attacker could use this issue to read process memory via ...

CVE-2014-0240 CVE-2014-0242

USN-2221-1: Linux kernel vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-4483 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2672 CVE-2014-2678 CVE-2014-2706 CVE-2014-2851

USN-2220-1: Linux kernel (EC2) vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-7339 CVE-2014-1737 CVE-2014-1738 CVE-2014-2678

USN-2219-1: Linux kernel vulnerabilities - 26th May 2014

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-1738) Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the ...

CVE-2013-7339 CVE-2014-1737 CVE-2014-1738 CVE-2014-2678

USN-2218-1: Xalan-Java vulnerability - 21st May 2014

Nicolas Gregoire discovered that Xalan-Java incorrectly handled certain properties when the secure processing feature was enabled. An attacker could possibly use this issue to load arbitrary classes or access external resources.

CVE-2014-0107

USN-2217-1: lxml vulnerability - 21st May 2014

It was discovered that the lxml.html.clean module incorrectly stripped control characters. An attacked could potentially exploit this to conduct cross-site scripting (XSS) attacks.

CVE-2014-3146

USN-2216-1: Pidgin vulnerability - 21st May 2014

It was discovered that Pidgin incorrectly handled certain messages from Gadu-Gadu file relay servers. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3775

USN-2215-1: libgadu vulnerability - 21st May 2014

It was discovered that libgadu incorrectly handled certain messages from file relay servers. A malicious remote server or a man in the middle could use this issue to cause applications using libgadu to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-3775

USN-2214-1: libxml2 vulnerability - 15th May 2014

Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.

CVE-2014-0191

USN-2213-1: Dovecot vulnerability - 15th May 2014

It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. A remote attacker could use this issue to cause Dovecot to stop responding to new connections, resulting in a denial of service.

CVE-2014-3430

USN-2212-1: Django vulnerabilities - 14th May 2014

Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds ...

CVE-2014-1418

USN-2211-1: libXfont vulnerabilities - 14th May 2014

Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges. (CVE-2014-0209) Ilja van Sprundel discovered that libXfont incorrectly handled X Font Server replies. A malicious font ...

CVE-2014-0209 CVE-2014-0210 CVE-2014-0211

USN-2210-1: cups-filters vulnerability - 8th May 2014

Sebastian Krahmer discovered that cups-browsed incorrectly filtered remote printer names and strings. A remote attacker could use this issue to possibly execute arbitrary commands. (CVE-2014-2707) Johannes Meixner discovered that cups-browsed ignored invalid BrowseAllow directives. This could cause it to accept browse packets from all hosts, contrary to intended configuration.

CVE-2014-2707

USN-2209-1: libvirt vulnerabilities - 7th May 2014

It was discovered that libvirt incorrectly handled symlinks when using the LXC driver. An attacker could possibly use this issue to delete host devices, create arbitrary nodes, and shutdown or power off the host. (CVE-2013-6456) Marian Krcmarik discovered that libvirt incorrectly handled seamless SPICE migrations. An attacker could possibly use ...

CVE-2013-6456 CVE-2013-7336

USN-2208-2: OpenStack Quantum vulnerability - 6th May 2014

USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides the corresponding updates for OpenStack Quantum. Original advisory details: JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to ...

CVE-2013-6491

USN-2208-1: OpenStack Cinder vulnerability - 6th May 2014

JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Ubuntu does not use QPid ...

CVE-2013-6491

USN-2207-1: OpenStack Swift vulnerability - 6th May 2014

Samuel Merritt discovered a timing attack vulnerability in OpenStack Swift. If Swift was configured to use the TempURL middleware, an attacker could exploit this to guess valid secret URLs and obtain unintended access to objects publicly shared with specific recipients.

CVE-2014-0006

USN-2206-1: OpenStack Horizon vulnerability - 6th May 2014

Cristian Fiorentino discovered that OpenStack Horizon did not properly perform input sanitization for Heat templates. If a user were tricked into using a specially crafted Heat template, an attacker could conduct cross-site scripting attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted ...

CVE-2014-0157

USN-2205-1: LibTIFF vulnerabilities - 6th May 2014

Pedro Ribeiro discovered that LibTIFF incorrectly handled certain malformed images when using the gif2tiff tool. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user ...

CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244

USN-2204-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2203-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2202-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2201-1: Linux kernel (Saucy HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2200-1: Linux kernel (Raring HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2199-1: Linux kernel (Quantal HWE) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2198-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2197-1: Linux kernel (EC2) vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2196-1: Linux kernel vulnerability - 5th May 2014

A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

CVE-2014-0196

USN-2194-1: OpenStack Neutron vulnerability - 5th May 2014

Aaron Rosen discovered that OpenStack Neutron did not properly perform authorization checks when creating ports when using plugins relying on the l3-agent. A remote authenticated attacker could exploit this to access the network of other tenants.

CVE-2014-0056

USN-2193-1: OpenStack Glance vulnerability - 5th May 2014

Paul McMillan discovered that the Sheepdog backend in OpenStack Glance did not properly handle untrusted input. A remote authenticated attacker exploit this to execute arbitrary commands as the glance user.

CVE-2014-0162

USN-2192-1: OpenSSL vulnerabilities - 5th May 2014

It was discovered that OpenSSL incorrectly handled memory in the ssl3_read_bytes() function. A remote attacker could use this issue to possibly cause OpenSSL to crash, resulting in a denial of service. (CVE-2010-5298) It was discovered that OpenSSL incorrectly handled memory in the do_ssl3_write() function. A remote attacker could use this ...

CVE-2010-5298 CVE-2014-0198

USN-2191-1: OpenJDK 6 vulnerabilities - 1st May 2014

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0461, CVE-2014-0462, CVE-2014-2397, CVE-2014-2405, CVE-2014-2412, CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427) ...

CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-0462 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2403 CVE-2014-2405 CVE-2014-2412 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427

USN-2190-1: JBIG-KIT vulnerability - 1st May 2014

Florian Weimer discovered that JBIG-KIT incorrectly handled certain malformed images. If a user or automated system were tricked into processing a specially crafted image, JBIG-KIT could be made to crash, or possibly execute arbitrary code.

CVE-2013-6369

USN-2183-2: dpkg vulnerability - 1st May 2014

USN-2183-1 fixed a vulnerability in dpkg. Javier Serrano Polo discovered that the fix introduced a vulnerability in releases with an older version of the patch utility. This update fixes the problem. Original advisory details: Jakub Wilk discovered that dpkg incorrectly certain paths and symlinks when unpacking source packages. If a ...

CVE-2014-0471

USN-2189-1: Thunderbird vulnerabilities - 30th April 2014

Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial ...

CVE-2014-1518 CVE-2014-1523 CVE-2014-1524 CVE-2014-1529 CVE-2014-1530 CVE-2014-1531 CVE-2014-1532 LP: 1313886

USN-2184-2: Unity vulnerabilities - 30th April 2014

USN-2184-1 fixed lock screen vulnerabilities in Unity. Further testing has uncovered more issues which have been fixed in this update. This update also fixes a regression with the shutdown dialogue. We apologize for the inconvenience. Original advisory details: Frédéric Bardy discovered that Unity incorrectly filtered keyboard shortcuts when the screen ...

LP: 1314247

USN-2188-1: elfutils vulnerability - 30th April 2014

Florian Weimer discovered that the elfutils libdw library incorrectly handled malformed compressed debug sections in ELF files. If a user or automated system were tricked into processing a specially crafted ELF file, applications linked against libdw could be made to crash, or possibly execute arbitrary code.

CVE-2014-0172

< Previous   Showing page 3 of 52   Next >
Show: All