Ubuntu security notices

These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Show: All  

USN-1972-1: Linux kernel vulnerabilities - 27th September 2013

Vince Weaver discovered a flaw in the perf subsystem of the Linux kernel on ARM platforms. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-4254) A failure to validate block numbers was discovered in the Linux kernel's implementation of the ...

CVE-2013-1819 CVE-2013-2237 CVE-2013-4254

USN-1971-1: Linux kernel (Raring HWE) vulnerabilities - 27th September 2013

Vince Weaver discovered a flaw in the perf subsystem of the Linux kernel on ARM platforms. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-4254) A memory leak was discovered in the user namespace facility of the Linux kernel. A ...

CVE-2013-4205 CVE-2013-4254

USN-1970-1: Linux kernel (Quantal HWE) vulnerabilities - 27th September 2013

Vince Weaver discovered a flaw in the perf subsystem of the Linux kernel on ARM platforms. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-4254) A failure to validate block numbers was discovered in the Linux kernel's implementation of the ...

CVE-2013-1819 CVE-2013-2237 CVE-2013-4254

USN-1969-1: Linux kernel (OMAP4) vulnerabilities - 27th September 2013

Vince Weaver discovered a flaw in the perf subsystem of the Linux kernel on ARM platforms. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-4254) A failure to validate block numbers was discovered in the Linux kernel's implementation of the ...

CVE-2013-1819 CVE-2013-4254

USN-1968-1: Linux kernel vulnerabilities - 27th September 2013

Vince Weaver discovered a flaw in the perf subsystem of the Linux kernel on ARM platforms. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash). (CVE-2013-4254) A failure to validate block numbers was discovered in the Linux kernel's implementation of the ...

CVE-2013-1819 CVE-2013-4254

USN-1966-1: Samba vulnerability - 24th September 2013

Jeremy Allison discovered that Samba incorrectly handled certain extended attribute lists. A remote attacker could use this issue to cause Samba to hang, resulting in a denial of service.

CVE-2013-4124

USN-1967-1: Django vulnerabilities - 24th September 2013

It was discovered that Django incorrectly handled large passwords. A remote attacker could use this issue to consume resources, resulting in a denial of service. (CVE-2013-1443) It was discovered that Django incorrectly handled ssi templates. An attacker could use this issue to read arbitrary files. (CVE-2013-4315) It was discovered that ...

CVE-2013-1443 CVE-2013-4315

USN-1965-1: pyOpenSSL vulnerability - 23rd September 2013

It was discovered that pyOpenSSL did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

CVE-2013-4314

USN-1964-1: LibRaw vulnerabilities - 23rd September 2013

It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, applications linked against LibRaw could be made to crash, resulting in a denial of service. (CVE-2013-1438, CVE-2013-1439)

CVE-2013-1438 CVE-2013-1439

USN-1952-1: Thunderbird vulnerabilities - 18th September 2013

Multiple memory safety issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute arbitrary code with the privileges of the user invoking ...

CVE-2013-1718 CVE-2013-1720 CVE-2013-1721 CVE-2013-1722 CVE-2013-1724 CVE-2013-1725 CVE-2013-1728 CVE-2013-1730 CVE-2013-1732 CVE-2013-1735 CVE-2013-1736 CVE-2013-1737 CVE-2013-1738 LP: 1224912

USN-1963-1: usb-creator vulnerability - 18th September 2013

It was discovered that usb-creator was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1063

USN-1962-1: ubuntu-system-service vulnerability - 18th September 2013

It was discovered that ubuntu-system-service was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1062

USN-1961-1: systemd vulnerability - 18th September 2013

It was discovered that systemd was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-4327

USN-1960-1: Software Properties vulnerability - 18th September 2013

It was discovered that Software Properties was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1061

USN-1959-1: RealtimeKit vulnerability - 18th September 2013

It was discovered that RealtimeKit was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-4326

USN-1958-1: language-selector vulnerability - 18th September 2013

It was discovered that language-selector was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1066

USN-1957-1: Jockey vulnerability - 18th September 2013

It was discovered that Jockey was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1065

USN-1956-1: HPLIP vulnerability - 18th September 2013

It was discovered that HPLIP was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-4325

USN-1955-1: apt-xapian-index vulnerability - 18th September 2013

It was discovered that apt-xapian-index was using polkit in an unsafe manner. A local attacker could possibly use this issue to bypass intended polkit authorizations.

CVE-2013-1064

USN-1954-1: libvirt vulnerabilities - 18th September 2013

It was discovered that libvirt used the pkcheck tool in an unsafe manner. A local attacker could possibly use this flaw to bypass polkit authentication. In Ubuntu, libvirt polkit authentication is not enabled by default. (CVE-2013-4311) It was discovered that libvirt incorrectly handled certain memory stats requests. A remote attacker ...

CVE-2013-4296 CVE-2013-4311 CVE-2013-5651

USN-1953-1: polkit vulnerability - 18th September 2013

It was discovered that polkit didn't allow applications to use the pkcheck tool in a way which prevented a race condition in the UID lookup. A local attacker could use this flaw to possibly escalate privileges.

CVE-2013-4288

USN-1951-1: Firefox vulnerabilities - 17th September 2013

Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2013-1718, CVE-2013-1719) ...

CVE-2013-1718 CVE-2013-1719 CVE-2013-1720 CVE-2013-1721 CVE-2013-1722 CVE-2013-1724 CVE-2013-1725 CVE-2013-1728 CVE-2013-1730 CVE-2013-1732 CVE-2013-1735 CVE-2013-1736 CVE-2013-1737 CVE-2013-1738 LP: 1223826

USN-1950-1: Light Display Manager vulnerability - 12th September 2013

It was discovered that Light Display Manager created .Xauthority files with incorrect permissions. A local attacker could use this flaw to bypass access restrictions.

CVE-2013-4331

USN-1949-1: ImageMagick vulnerability - 10th September 2013

It was discovered that ImageMagick incorrectly handled decoding GIF image comments. If a user or automated system using ImageMagick were tricked into opening a specially crafted GIF image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking ...

CVE-2013-4298

USN-1948-1: httplib2 vulnerability - 9th September 2013

It was discovered that httplib2 only validated SSL certificates on the first request to a connection, and didn't report validation failures on subsequent requests. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could possibly be exploited in certain scenarios to alter or compromise confidential information ...

CVE-2013-2037

USN-1947-1: Linux kernel (Quantal HWE) vulnerabilities - 6th September 2013

A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in ...

CVE-2012-5374 CVE-2012-5375 CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1946-1: Linux kernel (OMAP4) vulnerabilities - 6th September 2013

A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in ...

CVE-2012-5374 CVE-2012-5375 CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1945-1: Linux kernel (OMAP4) vulnerabilities - 6th September 2013

A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in ...

CVE-2012-5374 CVE-2012-5375 CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1944-1: Linux kernel vulnerabilities - 6th September 2013

A denial of service flaw was discovered in the Btrfs file system in the Linux kernel. A local user could cause a denial of service by creating a large number of files with names that have the same CRC32 hash value. (CVE-2012-5374) A denial of service flaw was discovered in ...

CVE-2012-5374 CVE-2012-5375 CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1943-1: Linux kernel (Raring HWE) vulnerabilities - 6th September 2013

Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the Linux kernel when it provides read-only ...

CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1942-1: Linux kernel (OMAP4) vulnerabilities - 6th September 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit ...

CVE-2013-1059 CVE-2013-1060 CVE-2013-2164 CVE-2013-2232 CVE-2013-2234 CVE-2013-2851 CVE-2013-4162 CVE-2013-4163

USN-1941-1: Linux kernel vulnerabilities - 6th September 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit ...

CVE-2013-1059 CVE-2013-1060 CVE-2013-2164 CVE-2013-2232 CVE-2013-2234 CVE-2013-2851 CVE-2013-4162 CVE-2013-4163

USN-1940-1: Linux kernel (EC2) vulnerabilities - 6th September 2013

Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) Michael S. Tsirkin discovered a flaw in how the Linux kernel's KVM subsystem allocates memory slots ...

CVE-2013-1060 CVE-2013-1943 CVE-2013-2206 CVE-2013-4162

USN-1939-1: Linux kernel vulnerabilities - 6th September 2013

Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows for privilege escalation. A local user could exploit this flaw to run commands as root when using the perf tool. (CVE-2013-1060) Michael S. Tsirkin discovered a flaw in how the Linux kernel's KVM subsystem allocates memory slots ...

CVE-2013-1060 CVE-2013-1943 CVE-2013-2206 CVE-2013-4162

USN-1938-1: Linux kernel vulnerabilities - 5th September 2013

Vasily Kulikov discovered a flaw in the Linux Kernel's perf tool that allows specified to be run as root. A local could exploit this flaw to run commands as root when using the perf tool. user could exploit this (CVE-2013-1060) A flaw was discovered in the Xen subsystem of the ...

CVE-2013-1060 CVE-2013-2140 CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

USN-1937-1: PHP vulnerability - 5th September 2013

It was discovered that PHP did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

CVE-2013-4248

USN-1936-1: Linux kernel (Raring HWE) vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851 CVE-2013-4125 CVE-2013-4127 CVE-2013-4247

USN-1935-1: Linux kernel vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851 CVE-2013-4125 CVE-2013-4127

USN-1934-1: Linux kernel (OMAP4) vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851

USN-1933-1: Linux kernel (OMAP4) vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851

USN-1932-1: Linux kernel vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851

USN-1931-1: Linux kernel (Quantal HWE) vulnerabilities - 20th August 2013

Chanam Park reported a Null pointer flaw in the Linux kernel's Ceph client. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2013-1059) An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive ...

CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851

USN-1930-1: Linux kernel (OMAP4) vulnerabilities - 20th August 2013

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2013-2148) Kees Cook discovered a format string vulnerability in the Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw ...

CVE-2013-2148 CVE-2013-2852

USN-1929-1: Linux kernel vulnerability - 20th August 2013

An information leak was discovered in the Linux kernel's fanotify interface. A local user could exploit this flaw to obtain sensitive information from kernel memory.

CVE-2013-2148

USN-1928-1: Puppet vulnerabilities - 15th August 2013

It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. (CVE-2013-4761) It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they ...

CVE-2013-4761 CVE-2013-4956

USN-1927-1: libimobiledevice vulnerability - 14th August 2013

Paul Collins discovered that libimobiledevice incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files and access device keys. In the default Ubuntu installation, this issue should be mitigated by the Yama link restrictions.

CVE-2013-2142

USN-1926-1: SPICE vulnerability - 14th August 2013

David Gibson discovered that SPICE incorrectly handled certain network errors. An attacker could use this issue to cause the SPICE server to crash, resulting in a denial of service.

CVE-2013-4130

USN-1925-1: Thunderbird vulnerabilities - 7th August 2013

Jeff Gilbert and Henrik Skupin discovered multiple memory safety issues in Thunderbird. If the user were tricked in to opening a specially crafted message with scripting enabled, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute arbitrary code with the privileges ...

CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 LP: 1208041

USN-1924-2: Ubufox and Unity Firefox Extension update - 6th August 2013

USN-1924-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubufox and Unity Firefox Extension. Original advisory details: Jeff Gilbert, Henrik Skupin, Ben Turner, Christian Holler, Andrew McCreight, Gary Kwong, Jan Varga and Jesse Ruderman discovered multiple memory safety issues in Firefox. If the user were tricked in ...

LP: 1208039

USN-1924-1: Firefox vulnerabilities - 6th August 2013

Jeff Gilbert, Henrik Skupin, Ben Turner, Christian Holler, Andrew McCreight, Gary Kwong, Jan Varga and Jesse Ruderman discovered multiple memory safety issues in Firefox. If the user were tricked in to opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application ...

CVE-2013-1701 CVE-2013-1702 CVE-2013-1704 CVE-2013-1705 CVE-2013-1708 CVE-2013-1709 CVE-2013-1710 CVE-2013-1711 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 LP: 1208039

Show: All