Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 5 of 69   Next >
Show: All  

USN-2900-1: GNU C Library vulnerability - 16th February 2016

It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2015-7547

USN-2899-1: LibreOffice vulnerabilities - 16th February 2016

It was discovered that LibreOffice incorrectly handled LWP document files. If a user were tricked into opening a specially crafted LWP document, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code.

CVE-2016-0794 CVE-2016-0795

USN-2855-2: Samba regression - 16th February 2016

USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for CVE-2015-5252 introduced a regression in certain specific environments. This update fixes the problem. Original advisory details: Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to ...

LP: 1545750

USN-2898-2: Eye of GNOME vulnerability - 15th February 2016

It was discovered that Eye of GNOME incorrectly handled certain large images. If a user were tricked into opening a specially-crafted image, a remote attacker could use this issue to cause Eye of GNOME to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2013-7447

USN-2898-1: GTK+ vulnerability - 15th February 2016

It was discovered that GTK+ incorrectly handled certain large images. A remote attacker could use this issue to cause GTK+ applications to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2013-7447

USN-2897-1: Nettle vulnerabilities - 15th February 2016

Hanno Böck discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8803) Hanno Böck discovered that Nettle incorrectly handled carry propagation in the NIST P-384 elliptic curve. (CVE-2015-8804) Niels Moeller discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8805)

CVE-2015-8803 CVE-2015-8804 CVE-2015-8805

USN-2896-1: Libgcrypt vulnerability - 15th February 2016

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that Libgcrypt was susceptible to an attack via physical side channels. A local attacker could use this attack to possibly recover private keys.

CVE-2015-7511

USN-2893-1: Firefox vulnerability - 11th February 2016

Jason Pang discovered that service workers intercept responses to plugin network requests made through the browser. An attacker could potentially exploit this to bypass same origin restrictions using the Flash plugin. (CVE-2016-1949)

CVE-2016-1949

USN-2894-1: PostgreSQL vulnerabilities - 11th February 2016

It was discovered that PostgreSQL incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2016-0773) It was discovered that PostgreSQL incorrectly handled certain configuration settings (GUCS) for users of PL/Java. A remote attacker could possibly ...

CVE-2016-0766 CVE-2016-0773

USN-2892-1: nginx vulnerabilities - 9th February 2016

It was discovered that nginx incorrectly handled certain DNS server responses when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. (CVE-2016-0742) It was discovered that nginx incorrectly handled CNAME response processing when the resolver is ...

CVE-2016-0742 CVE-2016-0746 CVE-2016-0747

USN-2880-2: Firefox regression - 8th February 2016

USN-2880-1 fixed vulnerabilities in Firefox. This update introduced a regression which caused Firefox to crash on startup with some configurations. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, Nicolas Pierron, Eric ...

LP: 1538724

USN-2891-1: QEMU vulnerabilities - 3rd February 2016

Qinghao Tang discovered that QEMU incorrectly handled PCI MSI-X support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-7549) Lian Yihan discovered that QEMU incorrectly handled the VNC ...

CVE-2015-7549 CVE-2015-8504 CVE-2015-8550 CVE-2015-8558 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8666 CVE-2015-8743 CVE-2015-8744 CVE-2015-8745 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922 CVE-2016-1981 CVE-2016-2197 CVE-2016-2198

USN-2890-3: Linux kernel (Raspberry Pi 2) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7550 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575 CVE-2015-8787

USN-2890-2: Linux kernel (Wily HWE) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7550 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575 CVE-2015-8787

USN-2890-1: Linux kernel vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7550 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575 CVE-2015-8787

USN-2889-2: Linux kernel (Vivid HWE) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374 CVE-2015-8787

USN-2889-1: Linux kernel vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374 CVE-2015-8787

USN-2888-1: Linux kernel (Utopic HWE) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7550 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575

USN-2887-2: Linux kernel (Trusty HWE) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374

USN-2887-1: Linux kernel vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374

USN-2886-2: Linux kernel (OMAP4) vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7799 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8550 CVE-2015-8569 CVE-2015-8575 CVE-2015-8785

USN-2886-1: Linux kernel vulnerabilities - 1st February 2016

It was discovered that a use-after-free vulnerability existed in the AF_UNIX implementation in the Linux kernel. A local attacker could use crafted epoll_ctl calls to cause a denial of service (system crash) or expose sensitive information. (CVE-2013-7446) It was discovered that the KVM implementation in the Linux kernel did not ...

CVE-2013-7446 CVE-2015-7513 CVE-2015-7799 CVE-2015-7990 CVE-2015-8374 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575 CVE-2015-8785

USN-2885-1: OpenJDK 6 vulnerabilities - 1st February 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code. (CVE-2016-0483, CVE-2016-0494) A vulnerability was discovered in the OpenJDK JRE related to ...

CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

USN-2884-1: OpenJDK 7 vulnerabilities - 1st February 2016

Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service, expose sensitive data over the network, or possibly execute arbitrary code. (CVE-2016-0483, CVE-2016-0494) A vulnerability was discovered in the OpenJDK JRE related to ...

CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

USN-2883-1: OpenSSL vulnerability - 28th January 2016

Antonio Sanso discovered that OpenSSL reused the same private DH exponent for the life of a server process when configured with a X9.42 style parameter file. This could allow a remote attacker to possibly discover the server's private DH exponent when being used with non-safe primes.

CVE-2016-0701

USN-2882-1: curl vulnerability - 27th January 2016

Isaac Boukris discovered that curl could incorrectly re-use NTLM proxy credentials when subsequently connecting to the same host.

CVE-2016-0755

USN-2877-1: Oxide vulnerabilities - 27th January 2016

A bad cast was discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2016-1612) An issue was ...

CVE-2016-1612 CVE-2016-1614 CVE-2016-1617 CVE-2016-1618 CVE-2016-1620 CVE-2016-2051 CVE-2016-2052

USN-2880-1: Firefox vulnerabilities - 27th January 2016

Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, Nicolas Pierron, Eric Rescorla, Tyson Smith, and Gabor Krizsanits discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause ...

CVE-2016-1930 CVE-2016-1931 CVE-2016-1933 CVE-2016-1935 CVE-2016-1937 CVE-2016-1938 CVE-2016-1939 CVE-2016-1942 CVE-2016-1944 CVE-2016-1945 CVE-2016-1946 CVE-2016-1947

USN-2881-1: MySQL vulnerabilities - 26th January 2016

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.47 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 15.04 and Ubuntu 15.10 have been updated to MySQL 5.6.28. In addition to security fixes, the ...

CVE-2016-0503 CVE-2016-0504 CVE-2016-0505 CVE-2016-0546 CVE-2016-0595 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0607 CVE-2016-0608 CVE-2016-0609 CVE-2016-0610 CVE-2016-0611 CVE-2016-0616

USN-2879-1: rsync vulnerability - 21st January 2016

It was discovered that rsync incorrectly handled invalid filenames. A malicious server could use this issue to write files outside of the intended destination directory.

CVE-2014-9512

USN-2878-1: Perl vulnerability - 21st January 2016

David Golden discovered that the canonpath function in the Perl File::Spec module did not properly preserve the taint attribute. An attacker could possibly use this issue to bypass the taint protection mechanism.

CVE-2015-8607

USN-2876-1: eCryptfs vulnerability - 20th January 2016

Jann Horn discovered that mount.ecryptfs_private would mount over certain directories in the proc filesystem. A local attacker could use this to escalate their privileges. (CVE-2016-1572)

CVE-2016-1572

USN-2875-1: libxml2 vulnerabilities - 19th January 2016

It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.

CVE-2015-7499 CVE-2015-8710

USN-2874-1: Bind vulnerability - 19th January 2016

It was discovered that Bind incorrectly handled certain APL data. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.

CVE-2015-8704

USN-2870-2: Linux kernel (Trusty HWE) vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2872-3: Linux kernel (Raspberry Pi 2) vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2872-2: Linux kernel (Wily HWE) vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2871-2: Linux kernel (Vivid HWE) vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2873-1: Linux kernel (Utopic HWE) vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2872-1: Linux kernel vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2871-1: Linux kernel vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2870-1: Linux kernel vulnerability - 19th January 2016

Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.

CVE-2016-0728

USN-2869-1: OpenSSH vulnerabilities - 14th January 2016

It was discovered that the OpenSSH client experimental support for resuming connections contained multiple security issues. A malicious server could use this issue to leak client memory to the server, including private client user keys.

CVE-2016-0777 CVE-2016-0778

USN-2859-1: Thunderbird vulnerabilities - 13th January 2016

Andrei Vaida, Jesse Ruderman, Bob Clary, and Jesse Ruderman discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges ...

CVE-2015-7201 CVE-2015-7205 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214

USN-2868-1: DHCP vulnerability - 13th January 2016

Sebastian Poehn discovered that the DHCP server, client, and relay incorrectly handled certain malformed UDP packets. A remote attacker could use this issue to cause the DHCP server, client, or relay to stop responding, resulting in a denial of service.

CVE-2015-8605

USN-2867-1: libvirt vulnerabilities - 12th January 2016

It was discovered that libvirt incorrectly handled the firewall rules on bridge networks when the daemon was restarted. This could result in an unintended firewall configuration. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-4600) Peter Krempa discovered that libvirt incorrectly handled locking when certain ACL checks failed. A local ...

CVE-2011-4600 CVE-2014-8136 CVE-2015-0236 CVE-2015-5247 CVE-2015-5313

USN-2860-1: Oxide vulnerabilities - 11th January 2016

A race condition was discovered in the MutationObserver implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. ...

CVE-2015-6789 CVE-2015-6790 CVE-2015-6791 CVE-2015-8548 CVE-2015-8664

USN-2866-1: Firefox vulnerability - 8th January 2016

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

CVE-2015-7575

USN-2865-1: GnuTLS vulnerability - 8th January 2016

Karthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

CVE-2015-7575

USN-2864-1: NSS vulnerability - 7th January 2016

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information.

CVE-2015-7575

< Previous   Showing page 5 of 69   Next >
Show: All