Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 5 of 65   Next >
Show: All  

USN-2702-3: Firefox regression - 20th August 2015

USN-2702-1 fixed vulnerabilities in Firefox. After upgrading, some users in the US reported that their default search engine switched to Yahoo. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered ...

LP: 1485741

USN-2721-1: Subversion vulnerabilities - 20th August 2015

It was discovered that the Subversion mod_dav_svn module incorrectly handled REPORT requests for a resource that does not exist. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3580) ...

CVE-2014-3580 CVE-2014-8108 CVE-2015-0202 CVE-2015-0248 CVE-2015-0251 CVE-2015-3184 CVE-2015-3187

USN-2720-1: Django vulnerability - 18th August 2015

Lin Hua Cheng discovered that Django incorrectly handled the session store. A remote attacker could use this issue to cause the session store to fill up, resulting in a denial of service.

CVE-2015-5963 CVE-2015-5964

USN-2710-2: OpenSSH regression - 18th August 2015

USN-2710-1 fixed vulnerabilities in OpenSSH. The upstream fix for CVE-2015-5600 caused a regression resulting in random authentication failures in non-default configurations. This update fixes the problem. Original advisory details: Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH ...

LP: 1485719

USN-2719-1: Linux kernel vulnerability - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3212

USN-2718-1: Linux kernel (Vivid HWE) vulnerability - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3212

USN-2717-1: Linux kernel (Utopic HWE) vulnerability - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3212

USN-2716-1: Linux kernel vulnerability - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3212

USN-2715-1: Linux kernel (Trusty HWE) vulnerability - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).

CVE-2015-3212

USN-2714-1: Linux kernel (OMAP4) vulnerabilities - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-3212) A flaw was discovered in how the Linux ...

CVE-2015-3212 CVE-2015-5364 CVE-2015-5366

USN-2713-1: Linux kernel vulnerabilities - 17th August 2015

Marcelo Ricardo Leitner discovered a race condition in the Linux kernel's SCTP address configuration lists when using Address Configuration Change (ASCONF) options on a socket. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-3212) A flaw was discovered in how the Linux ...

CVE-2015-3212 CVE-2015-5364 CVE-2015-5366

USN-2711-1: Net-SNMP vulnerabilities - 17th August 2015

It was discovered that Net-SNMP incorrectly handled certain trap messages when the -OQ option was used. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service. (CVE-2014-3565) Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures. A remote attacker could ...

CVE-2014-3565 CVE-2015-5621

USN-2710-1: OpenSSH vulnerabilities - 14th August 2015

Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. (CVE number pending) Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM ...

CVE-2015-5352 CVE-2015-5600

USN-2709-1: pollinate update - 14th August 2015

The pollinate package bundles the certificate for entropy.ubuntu.com. This update refreshes the certificate to match the new certificate for the server.

LP: 1483762

USN-2702-2: Ubufox update - 11th August 2015

USN-2702-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubufox. Original advisory details: Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, ...

LP: 1483858

USN-2702-1: Firefox vulnerabilities - 11th August 2015

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley, Chris Coulson, and Eric Rahm discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or ...

CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4477 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4490 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493

USN-2707-1: Firefox vulnerability - 7th August 2015

Cody Crews discovered a way to violate the same-origin policy to inject script in to a non-privileged part of the PDF viewer. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to read sensitive information from local files. (CVE-2015-4495)

CVE-2015-4495

USN-2706-1: OpenJDK 6 vulnerabilities - 6th August 2015

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748) Several vulnerabilities were discovered in the cryptographic components of ...

CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

USN-2705-1: Keystone vulnerabilities - 5th August 2015

Qin Zhao discovered Keystone disabled certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. (CVE-2014-7144) Brant Knudson discovered Keystone disabled certification verification when the "insecure" option is set in ...

CVE-2014-7144 CVE-2015-1852

USN-2704-1: Swift vulnerabilities - 5th August 2015

Rajaneesh Singh discovered Swift does not properly enforce metadata limits. An attacker could abuse this issue to store more metadata than allowed by policy. (CVE-2014-7960) Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow_version is configured. An attacker could use ...

CVE-2014-7960 CVE-2015-1856

USN-2703-1: Cinder vulnerability - 5th August 2015

Bastian Blank discovered that Cinder guessed image formats based on untrusted data. An attacker could use this to read arbitrary files from the Cinder host.

CVE-2015-1851

USN-2677-1: Oxide vulnerabilities - 4th August 2015

An uninitialized value issue was discovered in ICU. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-1270) A use-after-free was discovered in the GPU process implementation in Chromium. If a user were tricked in ...

CVE-2015-1270 CVE-2015-1272 CVE-2015-1276 CVE-2015-1277 CVE-2015-1280 CVE-2015-1281 CVE-2015-1283 CVE-2015-1284 CVE-2015-1285 CVE-2015-1287 CVE-2015-1289 CVE-2015-1329 CVE-2015-5605 LP: 1466208

USN-2699-1: HPLIP vulnerability - 30th July 2015

Enrico Zini discovered that HPLIP used a short GPG key ID when downloading keys from the keyserver. An attacker could possibly use this to return a different key with a duplicate short key id and perform a man-in-the-middle attack on printer plugin installations.

CVE-2015-0839

USN-2698-1: SQLite vulnerabilities - 30th July 2015

It was discovered that SQLite incorrectly handled skip-scan optimization. An attacker could use this issue to cause applications using SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2013-7443) Michal Zalewski discovered that SQLite incorrectly handled dequoting of ...

CVE-2013-7443 CVE-2015-3414 CVE-2015-3415 CVE-2015-3416

USN-2697-1: Ghostscript vulnerability - 30th July 2015

William Robinet and Stefan Cornelius discovered that Ghostscript did not correctly handle certain Postscript files. If a user or automated system were tricked into opening a specially crafted file, an attacker could cause a denial of service or possibly execute arbitrary code.

CVE-2015-3228

USN-2696-1: OpenJDK 7 vulnerabilities - 30th July 2015

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748) Several vulnerabilities were discovered in the cryptographic components of ...

CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LogJam

USN-2695-1: HTML Tidy vulnerabilities - 29th July 2015

Fernando Muñoz discovered that HTML Tidy incorrectly handled memory. If a user or automated system were tricked into processing specially crafted data, applications linked against HTML Tidy could be made to crash, leading to a denial of service, or possibly execute arbitrary code.

CVE-2015-5522 CVE-2015-5523

USN-2694-1: PCRE vulnerabilities - 29th July 2015

Michele Spagnuolo discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8964) Kai Lu discovered that PCRE incorrectly handled ...

CVE-2014-8964 CVE-2015-2325 CVE-2015-2326 CVE-2015-3210 CVE-2015-5073

USN-2693-1: Bind vulnerabilities - 28th July 2015

Jonathan Foote discovered that Bind incorrectly handled certain TKEY queries. A remote attacker could use this issue with a specially crafted packet to cause Bind to crash, resulting in a denial of service. (CVE-2015-5477) Pories Ediansyah discovered that Bind incorrectly handled certain configurations involving DNS64. A remote attacker could use ...

CVE-2012-5689 CVE-2015-5477

USN-2692-1: QEMU vulnerabilities - 28th July 2015

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a non-default configuration, a malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with ...

CVE-2015-3214 CVE-2015-5154 CVE-2015-5158

USN-2691-1: Linux kernel vulnerabilities - 28th July 2015

Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-3290) Colin King discovered a flaw in the add_key function of the Linux kernel's ...

CVE-2015-1333 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

USN-2690-1: Linux kernel (Vivid HWE) vulnerabilities - 28th July 2015

Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-3290) Colin King discovered a flaw in the add_key function of the Linux kernel's ...

CVE-2015-1333 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

USN-2689-1: Linux kernel (Utopic HWE) vulnerabilities - 28th July 2015

Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-3290) Colin King discovered a flaw in the add_key function of the Linux kernel's ...

CVE-2015-1333 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

USN-2688-1: Linux kernel vulnerabilities - 28th July 2015

Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-3290) Colin King discovered a flaw in the add_key function of the Linux kernel's ...

CVE-2015-1333 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

USN-2687-1: Linux kernel (Trusty HWE) vulnerabilities - 28th July 2015

Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested NMIs (non-maskable interrupts). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-3290) Colin King discovered a flaw in the add_key function of the Linux kernel's ...

CVE-2015-1333 CVE-2015-3290 CVE-2015-3291 CVE-2015-5157

USN-2686-1: Apache HTTP Server vulnerabilities - 27th July 2015

It was discovered that the Apache HTTP Server incorrectly parsed chunk headers. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that the Apache HTTP Server incorrectly handled the ap_some_auth_required API. A remote attacker could possibly use this issue to bypass ...

CVE-2015-3183 CVE-2015-3185

USN-2684-1: Linux kernel vulnerabilities - 23rd July 2015

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692) Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this ...

CVE-2015-4692 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366

USN-2683-1: Linux kernel (Vivid HWE) vulnerabilities - 23rd July 2015

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692) Daniel Borkmann reported a kernel crash in the Linux kernel's BPF filter JIT optimization. A local attacker could exploit this ...

CVE-2015-4692 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366

USN-2682-1: Linux kernel (Utopic HWE) vulnerabilities - 23rd July 2015

A flaw was discovered in the kvm (kernel virtual machine) subsystem's kvm_apic_has_events function. A unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2015-4692) A flaw was discovered in how the Linux kernel handles invalid UDP checksums. A remote attacker could exploit this flaw ...

CVE-2015-4692 CVE-2015-5364 CVE-2015-5366

USN-2681-1: Linux kernel vulnerabilities - 23rd July 2015

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805) A flaw was discovered in the kvm (kernel virtual machine) ...

CVE-2015-1805 CVE-2015-4692 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366 CVE-2015-5706

USN-2680-1: Linux kernel (Trusty HWE) vulnerabilities - 23rd July 2015

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805) A flaw was discovered in the kvm (kernel virtual machine) ...

CVE-2015-1805 CVE-2015-4692 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366 CVE-2015-5706

USN-2679-1: Linux kernel (OMAP4) vulnerabilities - 23rd July 2015

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805) Daniel Borkmann reported a kernel crash in the Linux kernel's ...

CVE-2015-1805 CVE-2015-4700

USN-2678-1: Linux kernel vulnerabilities - 23rd July 2015

A flaw was discovered in the user space memory copying for the pipe iovecs in the Linux kernel. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges. (CVE-2015-1805) Daniel Borkmann reported a kernel crash in the Linux kernel's ...

CVE-2015-1805 CVE-2015-4700

USN-2676-1: NBD vulnerabilities - 22nd July 2015

It was discovered that NBD incorrectly handled IP address matching. A remote attacker could use this issue with an IP address that has a partial match and bypass access restrictions. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-6410) Tuomas Räsänen discovered that NBD incorrectly handled wrong export names and closed ...

CVE-2013-6410 CVE-2013-7441 CVE-2015-0847

USN-2675-1: LXC vulnerabilities - 22nd July 2015

Roman Fiedler discovered that LXC had a directory traversal flaw when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user. (CVE-2015-1331) Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor profile changes and SELinux ...

CVE-2015-1331 CVE-2015-1334

USN-2674-1: MySQL vulnerabilities - 21st July 2015

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.44 in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10. Ubuntu 15.04 has been updated to MySQL 5.6.25. In addition to security fixes, the updated ...

CVE-2015-2582 CVE-2015-2611 CVE-2015-2617 CVE-2015-2620 CVE-2015-2639 CVE-2015-2641 CVE-2015-2643 CVE-2015-2648 CVE-2015-2661 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 CVE-2015-4761 CVE-2015-4767 CVE-2015-4769 CVE-2015-4771 CVE-2015-4772

USN-2673-1: Thunderbird vulnerabilities - 20th July 2015

Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. (CVE-2015-2721) Bob Clary, Christian Holler, Bobby Holley, and Andrew McCreight ...

CVE-2015-2721 CVE-2015-2724 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-4000

USN-2656-2: Firefox vulnerabilities - 15th July 2015

USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and later releases. This update provides the corresponding update for Ubuntu 12.04 LTS. Original advisory details: Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, ...

CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2727 CVE-2015-2728 CVE-2015-2729 CVE-2015-2730 CVE-2015-2731 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2743 CVE-2015-4000

< Previous   Showing page 5 of 65   Next >
Show: All