Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

< Previous   Showing page 5 of 53   Next >
Show: All  

USN-2180-1: Linux kernel (OMAP4) vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2179-1: Linux kernel vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2178-1: Linux kernel vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2177-1: Linux kernel (Saucy HWE) vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2176-1: Linux kernel (Raring HWE) vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2175-1: Linux kernel (Quantal HWE) vulnerabilities - 26th April 2014

A flaw was discovered in the Kernel Virtual Machine (KVM) subsystem of the Linux kernel. A guest OS user could exploit this flaw to execute arbitrary code on the host OS. (CVE-2014-0049) Al Viro discovered an error in how CIFS in the Linux kernel handles uncached write operations. An unprivileged ...

CVE-2014-0049 CVE-2014-0069

USN-2174-1: Linux kernel (EC2) vulnerabilities - 26th April 2014

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101) An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a ...

CVE-2014-0101 CVE-2014-2523

USN-2173-1: Linux kernel vulnerabilities - 26th April 2014

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101) An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a ...

CVE-2014-0101 CVE-2014-2523

USN-2172-1: CUPS vulnerability - 24th April 2014

Alex Korobkin discovered that the CUPS web interface incorrectly protected against cross-site scripting (XSS) attacks. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data.

CVE-2014-2856

USN-2171-1: rsync vulnerability - 23rd April 2014

Ryan Finnie discovered that the rsync daemon incorrectly handled invalid usernames. A remote attacker could use this issue to cause rsync to consume resources, resulting in a denial of service.

CVE-2014-2855

USN-2170-1: MySQL vulnerabilities - 23rd April 2014

Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.37. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes. Please see the following for more information: ...

CVE-2014-0001 CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440

USN-2169-2: Django regression - 22nd April 2014

USN-2169-1 fixed vulnerabilities in Django. The upstream security patch for CVE-2014-0472 introduced a regression for certain applications. This update fixes the problem. Original advisory details: Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to ...

LP: 1311433

USN-2169-1: Django vulnerabilities - 22nd April 2014

Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472) Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF ...

CVE-2014-0472 CVE-2014-0473 CVE-2014-0474

USN-2168-1: Python Imaging Library vulnerabilities - 15th April 2014

Jakub Wilk discovered that the Python Imaging Library incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files, or gain access to temporary file contents. (CVE-2014-1932, CVE-2014-1933)

CVE-2014-1932 CVE-2014-1933

USN-2167-1: curl vulnerabilities - 14th April 2014

Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. (CVE-2014-0138) Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly ...

CVE-2014-0138 CVE-2014-0139

USN-2166-1: Net-SNMP vulnerabilities - 14th April 2014

Ken Farnen discovered that Net-SNMP incorrectly handled AgentX timeouts. A remote attacker could use this issue to cause the server to crash or to hang, resulting in a denial of service. (CVE-2012-6151) It was discovered that the Net-SNMP ICMP-MIB incorrectly validated input. A remote attacker could use this issue to ...

CVE-2012-6151 CVE-2014-2284 CVE-2014-2285 CVE-2014-2310

USN-2124-2: OpenJDK 6 regression - 7th April 2014

USN-2124-1 fixed vulnerabilities in OpenJDK 6. Due to an upstream regression, memory was not properly zeroed under certain circumstances which could lead to instability. This update fixes the problem. We apologize for the inconvenience. Original advisory details: A vulnerability was discovered in the OpenJDK JRE related to information disclosure and ...

LP: 1295987

USN-2165-1: OpenSSL vulnerabilities - 7th April 2014

Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information. (CVE-2014-0160) Yuval Yarom and Naomi Benger ...

CVE-2014-0076 CVE-2014-0160

USN-2164-1: OpenSSH vulnerability - 7th April 2014

Matthew Vernon discovered that OpenSSH did not correctly check SSHFP DNS records if a server presented an unacceptable host certificate. A malicious server could use this issue to disable SSHFP checking.

CVE-2014-2653

USN-2163-1: PHP vulnerability - 7th April 2014

It was discovered that PHP's embedded libmagic library incorrectly handled PE executables. An attacker could use this issue to cause PHP to crash, resulting in a denial of service.

CVE-2014-2270

USN-2162-1: file vulnerability - 7th April 2014

It was discovered that file incorrectly handled PE executable files. An attacker could use this issue to cause file to crash, resulting in a denial of service.

CVE-2014-2270

USN-2161-1: libyaml-libyaml-perl vulnerabilities - 3rd April 2014

Florian Weimer discovered that libyaml-libyaml-perl incorrectly handled certain large YAML documents. An attacker could use this issue to cause libyaml-libyaml-perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6393) Ivan Fratric discovered that libyaml-libyaml-perl incorrectly handled certain malformed YAML documents. An attacker could use this ...

CVE-2013-6393 CVE-2014-2525

USN-2160-1: LibYAML vulnerability - 3rd April 2014

Ivan Fratric discovered that LibYAML incorrectly handled certain malformed YAML documents. An attacker could use this issue to cause LibYAML to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE-2014-2525

USN-2159-1: NSS vulnerability - 2nd April 2014

It was discovered that NSS incorrectly handled wildcard certificates when used with internationalized domain names. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to spoof SSL servers.

CVE-2014-1492

USN-2158-1: Linux kernel (Raring HWE) vulnerabilities - 1st April 2014

Stephan Mueller reported an error in the Linux kernel's ansi cprng random number generator. This flaw makes it easier for a local attacker to break cryptographic protections. (CVE-2013-4345) Nico Golde and Fabian Yamaguchi reported buffer underflow errors in the implementation of the XFS filesystem in the Linux kernel. A local ...

CVE-2013-4345 CVE-2013-6382 CVE-2014-1690

USN-2157-1: ClamAV update - 27th March 2014

This updates ClamAV to a new major version in order to gain new detection technologies and maintain proper compatibility with the virus signature database.

LP: 1296856

USN-2156-1: Samba vulnerability - 26th March 2014

Andrew Bartlett discovered that Samba did not properly enforce the password guessing protection mechanism for all interfaces. A remote attacker could use this issue to possibly attempt to brute force user passwords.

CVE-2013-4496

USN-2155-1: OpenSSH vulnerability - 25th March 2014

Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to possibly bypass certain intended environment variable restrictions.

CVE-2014-2532

USN-2154-1: ca-certificates update - 24th March 2014

The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20130906 package.

LP: 1257265

USN-2153-1: initramfs-tools vulnerability - 24th March 2014

Kees Cook discovered that initramfs-tools incorrectly mounted /run without the noexec option, contrary to expected behaviour.

LP: 1152744

USN-2152-1: Apache HTTP Server vulnerabilities - 24th March 2014

Ning Zhang & Amin Tora discovered that the mod_dav module incorrectly handled whitespace characters in CDATA sections. A remote attacker could use this issue to cause the server to stop responding, resulting in a denial of service. (CVE-2013-6438) Rainer M Canavan discovered that the mod_log_config module incorrectly handled certain cookies. ...

CVE-2013-6438 CVE-2014-0098

USN-2151-1: Thunderbird vulnerabilities - 21st March 2014

Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman and Christoph Diehl discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service ...

CVE-2014-1493 CVE-2014-1497 CVE-2014-1505 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 LP: 1293851

USN-2150-1: Firefox vulnerabilities - 18th March 2014

Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman, Christoph Diehl, Gregor Wagner, Gary Kwong, Luke Wagner, Rob Fletcher and Makoto Kato discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit ...

CVE-2014-1493 CVE-2014-1494 CVE-2014-1497 CVE-2014-1498 CVE-2014-1499 CVE-2014-1500 CVE-2014-1502 CVE-2014-1504 CVE-2014-1505 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 LP: 1291982

USN-2149-2: GTK+ update - 17th March 2014

USN-2149-1 fixed a vulnerability in librsvg. This update provides a compatibility fix for GTK+ to work with the librsvg security update. Original advisory details: It was discovered that librsvg would load XML external entities by default. If a user were tricked into viewing a specially crafted SVG file, an attacker ...

CVE-2013-1881

USN-2149-1: librsvg vulnerability - 17th March 2014

It was discovered that librsvg would load XML external entities by default. If a user were tricked into viewing a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files.

CVE-2013-1881

USN-2148-1: FreeType vulnerabilities - 17th March 2014

Mateusz Jurczyk discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. (CVE-2014-2240, CVE-2014-2241)

CVE-2014-2240 CVE-2014-2241

USN-2147-1: Mutt vulnerability - 13th March 2014

Beatrice Torracca and Evgeni Golov discovered a buffer overflow in mutt while expanding addresses when parsing email headers. An attacker could specially craft an email to cause mutt to crash, resulting in a denial of service, or possibly execute arbitrary code with the privileges of the user invoking mutt.

CVE-2014-0467

USN-2146-1: Sudo vulnerabilities - 13th March 2014

Sebastien Macke discovered that Sudo incorrectly handled blacklisted environment variables when the env_reset option was disabled. A local attacker could use this issue to possibly run unintended commands by using blacklisted environment variables. In a default Ubuntu installation, the env_reset option is enabled by default. This issue only affected Ubuntu ...

CVE-2014-0106 LP: 1223297

USN-2145-1: libssh vulnerability - 12th March 2014

Aris Adamantiadis discovered that libssh allowed the OpenSSL PRNG state to be reused when implementing forking servers. This could allow an attacker to possibly obtain information about the state of the PRNG and perform cryptographic attacks.

CVE-2014-0017

USN-2144-1: CUPS vulnerabilities - 12th March 2014

Florian Weimer discovered that the pdftoopvp filter bundled in the CUPS package incorrectly handled memory. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user. (CVE-2013-6474, CVE-2013-6475) Florian Weimer discovered that the pdftoopvp filter bundled in the CUPS package did not restrict ...

CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

USN-2143-1: cups-filters vulnerabilities - 12th March 2014

Florian Weimer discovered that cups-filters incorrectly handled memory in the urftopdf filter. An attacker could possibly use this issue to execute arbitrary code with the privileges of the lp user. This issue only affected Ubuntu 13.10. (CVE-2013-6473) Florian Weimer discovered that cups-filters incorrectly handled memory in the pdftoopvp filter. An ...

CVE-2013-6473 CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

USN-2142-1: UDisks vulnerability - 10th March 2014

Florian Weimer discovered that UDisks incorrectly handled certain long path names. A local attacker could use this issue to cause udisks to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.

CVE-2014-0004

USN-2141-1: Linux kernel (OMAP4) vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual ...

CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6382 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2013-7281 CVE-2013-7339 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

USN-2140-1: Linux kernel vulnerabilities - 7th March 2014

An information leak was discovered in the Linux kernel when built with the NetFilter Connection Tracking (NF_CONNTRACK) support for IRC protocol (NF_NAT_IRC). A remote attacker could exploit this flaw to obtain potentially sensitive kernel information when communicating over a client- to-client IRC connection(/dcc) via a NAT-ed network. (CVE-2014-1690) Matthew Thode ...

CVE-2014-1690 CVE-2014-1874 CVE-2014-2038

USN-2139-1: Linux kernel (OMAP4) vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual ...

CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6382 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2013-7281 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

USN-2138-1: Linux kernel vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual ...

CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6382 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2013-7281 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

USN-2137-1: Linux kernel (Saucy HWE) vulnerabilities - 7th March 2014

An information leak was discovered in the Linux kernel when built with the NetFilter Connection Tracking (NF_CONNTRACK) support for IRC protocol (NF_NAT_IRC). A remote attacker could exploit this flaw to obtain potentially sensitive kernel information when communicating over a client- to-client IRC connection(/dcc) via a NAT-ed network. (CVE-2014-1690) Matthew Thode ...

CVE-2014-1690 CVE-2014-1874 CVE-2014-2038

USN-2136-1: Linux kernel (Raring HWE) vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual ...

CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6376 CVE-2013-6380 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2013-7281 CVE-2013-7339 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

USN-2135-1: Linux kernel (Quantal HWE) vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual ...

CVE-2013-4579 CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6382 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7266 CVE-2013-7267 CVE-2013-7268 CVE-2013-7269 CVE-2013-7270 CVE-2013-7271 CVE-2013-7281 CVE-2013-7339 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

USN-2134-1: Linux kernel (OMAP4) vulnerabilities - 7th March 2014

Mathy Vanhoef discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing atack. (CVE-2013-4579) Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization ...

CVE-2013-4579 CVE-2013-6368 CVE-2013-7339 CVE-2014-1438 CVE-2014-1446 CVE-2014-1874

< Previous   Showing page 5 of 53   Next >
Show: All