Stemcell (Linux) Release Notes

This topic includes release notes for Linux stemcells used with Ops Manager.

Xenial Stemcells

The following sections describe each Xenial stemcell release.

621.x

This section includes release notes for the 621 line of Linux stemcells used with Ops Manager.

621.92

Available in VMware Tanzu Network

Release Date: November 16, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4587-1: iTALC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4587-1 Priorities: medium,low Description: Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn’t check malloc return values. A remote attacker could use these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055) Josef Gajdusek discovered that iTALC had… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9941
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15127
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20019
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20748
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20749
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681

Title: USN-4552-2: Pam-python vulnerability URL: https://ubuntu.com/security/notices/USN-4552-2 Priorities: medium Description: Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16729

621.90

Available in VMware Tanzu Network

Release Date: October 23, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4593-1: FreeType vulnerability URL: https://ubuntu.com/security/notices/USN-4593-1 Priorities: high Description: Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15999

621.89

Available in VMware Tanzu Network

Release Date: October 20, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4582-1: Vim vulnerabilities URL: https://ubuntu.com/security/notices/USN-4582-1 Priorities: low Description: It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-17087) It was discovered that Vim incorrectly handled restricted mode. A local attacker could possibly use this issue to bypass restricted… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17087
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20807

Title: USN-4579-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4579-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25285

Title: USN-4591-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4591-1 Priorities: high,medium Description: Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12352

Title: USN-4589-1: containerd vulnerability URL: https://ubuntu.com/security/notices/USN-4589-1 Priorities: medium Description: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s registry credentials. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4589-2: Docker vulnerability URL: https://ubuntu.com/security/notices/USN-4589-2 Priorities: medium Description: USN-4589-1 fixed a vulnerability in containerd. This update provides the corresponding update for docker.io. Original advisory details: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4581-1: Python vulnerability URL: https://ubuntu.com/security/notices/USN-4581-1 Priorities: medium Description: It was discovered that Python incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26116

Title: USN-4584-1: HtmlUnit vulnerability URL: https://ubuntu.com/security/notices/USN-4584-1 Priorities: medium Description: It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5529

Title: USN-4583-1: PHP vulnerabilities URL: https://ubuntu.com/security/notices/USN-4583-1 Priorities: medium Description: It was discovered that PHP incorrectly handled certain encrypt ciphers. An attacker could possibly use this issue to decrease security or cause incorrect encryption data. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7069) It was discorevered that PHP incorrectly handled certain HTTP cookies. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7069
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7070

621.87

Available in VMware Tanzu Network

Release Date: October 14, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4573-1: Vino vulnerabilities URL: https://ubuntu.com/security/notices/USN-4573-1 Priorities: medium,low Description: Nicolas Ruff discovered that Vino incorrectly handled large ClientCutText messages. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2014-6053) It was discovered that Vino incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404

Title: USN-4554-1: libPGF vulnerability URL: https://ubuntu.com/security/notices/USN-4554-1 Priorities: medium Description: It was discovered that libPGF lacked proper validation when opening a specially crafted PGF file. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-6673

Title: USN-4557-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4557-1 Priorities: low,medium Description: It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn’t exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-0762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6797
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-8735

Title: USN-4578-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4578-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19448
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16120
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26088

Title: USN-4547-2: SSVNC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4547-2 Priorities: medium Description: It was discovered that the LibVNCClient vendored in SSVNC incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-2024) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024

Title: USN-4571-1: rack-cors vulnerability URL: https://ubuntu.com/security/notices/USN-4571-1 Priorities: medium Description: It was discovered that rack-cors did not properly handle relative file paths. An attacker could use this vulnerability to access arbitrary files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18978

Title: USN-4572-1: Spice vulnerability URL: https://ubuntu.com/security/notices/USN-4572-1 Priorities: medium Description: Frediano Ziglio discovered that Spice incorrectly handled QUIC image decoding. A remote attacker could use this to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14355

Title: USN-4559-1: Samba update URL: https://ubuntu.com/security/notices/USN-4559-1 Priorities: medium Description: Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. While a previous security update fixed the issue by changing the “server schannel” setting to default to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1472

Title: USN-4551-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4551-1 Priorities: low,medium Description: Alex Rousskov and Amit Klein discovered that Squid incorrectly handled certain Content-Length headers. A remote attacker could possibly use this issue to perform an HTTP request smuggling attack, resulting in cache poisoning. (CVE-2020-15049) Amit Klein discovered that Squid incorrectly validated certain data. A remote attacker could possibly use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15049
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24606

Title: USN-4564-1: Apache Tika vulnerabilities URL: https://ubuntu.com/security/notices/USN-4564-1 Priorities: medium,low Description: It was discovered that Apache Tika can have an excessive memory usage by using a crafted or corrupt PSD file. An attacker could use it to cause a denial of service (crash). (CVE-2020-1950, CVE-2020-1951) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1950
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1951

Title: USN-4570-1: urllib3 vulnerability URL: https://ubuntu.com/security/notices/USN-4570-1 Priorities: medium Description: It was discovered that urllib3 incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26137

Title: USN-4568-1: Brotli vulnerability URL: https://ubuntu.com/security/notices/USN-4568-1 Priorities: medium Description: It was discovered that Brotli incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8927

621.85

Available in VMware Tanzu Network

Release Date: September 28, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4500-1: bsdiff vulnerabilities URL: https://ubuntu.com/security/notices/USN-4500-1 Priorities: medium Description: It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9862

Title: USN-4506-1: MCabber vulnerability URL: https://ubuntu.com/security/notices/USN-4506-1 Priorities: medium Description: It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9928

Title: USN-4513-1: apng2gif vulnerability URL: https://ubuntu.com/security/notices/USN-4513-1 Priorities: medium Description: Dileep Kumar Jallepalli discovered that apng2gif incorrectly handled loading APNG files. An attacker could exploit this with a crafted APNG file to access sensitive information. (CVE-2017-6960) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-6960

Title: USN-4517-1: Email-Address-List vulnerability URL: https://ubuntu.com/security/notices/USN-4517-1 Priorities: medium Description: It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service. (CVE-2018-18898) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18898

Title: USN-4507-1: ncmpc vulnerability URL: https://ubuntu.com/security/notices/USN-4507-1 Priorities: medium Description: It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9240

Title: USN-4499-1: MilkyTracker vulnerabilities URL: https://ubuntu.com/security/notices/USN-4499-1 Priorities: medium Description: It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14496
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14497

Title: USN-4504-1: OpenSSL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4504-1 Priorities: low Description: Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1551
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1968

Title: USN-4498-1: Loofah vulnerability URL: https://ubuntu.com/security/notices/USN-4498-1 Priorities: medium Description: It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15587

Title: USN-4496-1: Apache XML-RPC vulnerability URL: https://ubuntu.com/security/notices/USN-4496-1 Priorities: medium Description: It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17570

Title: USN-4526-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4526-1 Priorities: low,medium Description: It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808) It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12888
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14356
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16166

Title: USN-4527-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4527-1 Priorities: low,medium Description: It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054) It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9453
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212

Title: USN-4520-1: Exim SpamAssassin vulnerability URL: https://ubuntu.com/security/notices/USN-4520-1 Priorities: medium Description: It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-19920) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19920

Title: USN-4534-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4534-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20919

Title: USN-4535-1: RDFLib vulnerability URL: https://ubuntu.com/security/notices/USN-4535-1 Priorities: medium Description: Gabriel Corona discovered that RDFLib did not properly load modules on the command-line. An attacker could possibly use this issue to cause RDFLib to execute arbitrary code. (CVE-2019-7653) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7653

Title: USN-4528-1: Ceph vulnerabilities URL: https://ubuntu.com/security/notices/USN-4528-1 Priorities: medium Description: Adam Mohammed discovered that Ceph incorrectly handled certain CORS ExposeHeader tags. A remote attacker could possibly use this issue to preform an HTTP header injection attack. (CVE-2020-10753) Lei Cao discovered that Ceph incorrectly handled certain POST requests with invalid tagging XML. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12059
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1760

Title: USN-4518-1: xawtv vulnerability URL: https://ubuntu.com/security/notices/USN-4518-1 Priorities: low Description: Matthias Gerstner discovered that xawtv incorrectly handled opening files. A local attacker could possibly use this issue to open and write to arbitrary files and escalate privileges. (CVE-2020-13696) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13696

Title: USN-4521-1: pam_tacplus vulnerability URL: https://ubuntu.com/security/notices/USN-4521-1 Priorities: low Description: It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13881

Title: USN-4511-1: QEMU vulnerability URL: https://ubuntu.com/security/notices/USN-4511-1 Priorities: medium Description: Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14364

Title: USN-4503-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4503-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14392

Title: USN-4537-1: Aptdaemon vulnerability URL: https://ubuntu.com/security/notices/USN-4537-1 Priorities: medium Description: Vaisha Bernard discovered that Aptdaemon incorrectly handled the Locale property. A local attacker could use this issue to test for the presence of local files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15703

Title: USN-4519-1: PulseAudio vulnerability URL: https://ubuntu.com/security/notices/USN-4519-1 Priorities: medium Description: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15710

Title: USN-4501-1: LuaJIT vulnerability URL: https://ubuntu.com/security/notices/USN-4501-1 Priorities: low Description: It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15890

Title: USN-4538-1: PackageKit vulnerabilities URL: https://ubuntu.com/security/notices/USN-4538-1 Priorities: low,medium Description: Vaisha Bernard discovered that PackageKit incorrectly handled certain methods. A local attacker could use this issue to learn the MIME type of any file on the system. (CVE-2020-16121) Sami Niemimäki discovered that PackageKit incorrectly handled local deb packages. A local user could possibly use this issue to install untrusted packages, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16121
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16122

Title: USN-4514-1: libproxy vulnerability URL: https://ubuntu.com/security/notices/USN-4514-1 Priorities: medium Description: It was discovered that libproxy incorrectly handled certain PAC files. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25219

Title: USN-4508-1: StoreBackup vulnerability URL: https://ubuntu.com/security/notices/USN-4508-1 Priorities: medium Description: It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7040

Title: USN-4515-1: Pure-FTPd vulnerability URL: https://ubuntu.com/security/notices/USN-4515-1 Priorities: low Description: Antonio Norales discovered that Pure-FTPd incorrectly handled directory aliases. An attacker could possibly use this issue to access sensitive information. (CVE-2020-9274) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9274

621.84

Available in VMware Tanzu Network

Release Date: September 09, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4470-1: sane-backends vulnerabilities URL: https://ubuntu.com/security/notices/USN-4470-1 Priorities: low,medium Description: Kritphong Mongkhonvanit discovered that sane-backends incorrectly handled certain packets. A remote attacker could possibly use this issue to obtain sensitive memory information. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-6318) It was discovered that sane-backends incorrectly handled certain memory operations. A remote attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-6318
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12861
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12862
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12863
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12864
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12865
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12866
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12867

Title: USN-4485-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4485-1 Priorities: low,medium,negligible Description: Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2018-20669) It was discovered that the Kvaser CAN/USB driver in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10781
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24394

Title: USN-4476-1: NSS vulnerability URL: https://ubuntu.com/security/notices/USN-4476-1 Priorities: medium Description: It was discovered that NSS incorrectly handled some inputs. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12403

Title: USN-4490-1: X.Org X Server vulnerability URL: https://ubuntu.com/security/notices/USN-4490-1 Priorities: medium Description: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14345

Title: USN-4489-1: Linux kernel vulnerability URL: https://ubuntu.com/security/notices/USN-4489-1 Priorities: high Description: Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14386

Title: USN-4471-1: Net-SNMP vulnerabilities URL: https://ubuntu.com/security/notices/USN-4471-1 Priorities: medium Description: Tobias Neitzel discovered that Net-SNMP incorrectly handled certain symlinks. An attacker could possibly use this issue to access sensitive information. (CVE-2020-15861) It was discovered that Net-SNMP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15861
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15862

Title: USN-4482-1: Ark vulnerability URL: https://ubuntu.com/security/notices/USN-4482-1 Priorities: medium Description: Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24654

621.82

Available in VMware Tanzu Network

Release Date: August 21, 2020

This release changes the way the Linux Google light stemcell works to reference a source image. It will lead to a decrease in the time it takes to upload the light stemcell. This change will also help mitigate the impact of the new GCP image creation rate limit which any user uploading more than 6 GCP stemcells an hour would hit.

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4459-1: Salt vulnerabilities URL: https://ubuntu.com/security/notices/USN-4459-1 Priorities: medium Description: It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11652

Title: USN-4463-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4463-1 Priorities: low Description: It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393

621.81

Available in VMware Tanzu Network

Release Date: August 19, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: negligible,low,medium Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4446-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4446-1 Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled caching certain requests. A remote attacker could possibly use this issue to perform cache-injection attacks or gain access to reverse proxy features such as ESI. (CVE-2019-12520) Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12520
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4432-1: GRUB 2 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4432-1 Priorities: high,medium Description: Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713) Chris Coulson discovered that the GRUB2 function… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10713
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15705
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15706
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15707

Title: USN-4449-1: Apport vulnerabilities URL: https://ubuntu.com/security/notices/USN-4449-1 Priorities: medium Description: Ryota Shiga discovered that Apport incorrectly dropped privileges when making certain D-Bus calls. A local attacker could use this issue to read arbitrary files. (CVE-2020-11936) Seong-Joong Kim discovered that Apport incorrectly parsed configuration files. A local attacker could use this issue to cause Apport to crash, resulting in a denial of… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15702

Title: USN-4456-1: Dovecot vulnerabilities URL: https://ubuntu.com/security/notices/USN-4456-1 Priorities: medium Description: It was discovered that Dovecot incorrectly handled deeply nested MIME parts. A remote attacker could possibly use this issue to cause Dovecot to consume resources, resulting in a denial of service. (CVE-2020-12100) It was discovered that Dovecot incorrectly handled memory when using NTLM. A remote attacker could possibly use this issue to cause… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12100
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12673
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12674

Title: USN-4455-1: NSS vulnerabilities URL: https://ubuntu.com/security/notices/USN-4455-1 Priorities: medium Description: It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-12400, CVE-2020-12401, CVE-2020-6829) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6829

Title: USN-4448-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4448-1 Priorities: medium,low Description: It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause Tomcat to hang, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9484

Title: USN-4454-1: Samba vulnerability URL: https://ubuntu.com/security/notices/USN-4454-1 Priorities: medium Description: Martin von Wittich and Wilko Meyer discovered that Samba incorrectly handled certain empty UDP packets when being used as a AD DC NBT server. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14303

Title: USN-4441-1: MySQL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4441-1 Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.31. In addition to security fixes, the updated packages contain bug fixes, new features, and… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14540
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14550
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14568
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14576
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14597
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14619
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14624
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14631
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14632
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14633
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14634
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14663
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14702

Title: USN-4453-1: OpenJDK 8 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4453-1 Priorities: medium Description: Johannes Kuhn discovered that OpenJDK 8 incorrectly handled access control contexts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-14556) Philippe Arteau discovered that OpenJDK 8 incorrectly verified names in TLS server’s X.509 certificates. An attacker could possibly use this issue to obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14556
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14578
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14581
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14621

Title: USN-4443-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4443-1 Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass iframe sandbox restrictions, confuse the user, or execute arbitrary code. (CVE-2020-6463, CVE-2020-6514,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15652
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15653
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15658
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6514

Title: USN-4451-1: ppp vulnerability URL: https://ubuntu.com/security/notices/USN-4451-1 Priorities: medium Description: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15704

Title: USN-4447-1: libssh vulnerability URL: https://ubuntu.com/security/notices/USN-4447-1 Priorities: medium Description: It was discovered that libssh incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16135

621.78

Available in VMware Tanzu Network

Release Date: July 30, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: low,medium,negligible Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4436-1: librsvg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4436-1 Priorities: low Description: It was discovered that librsvg incorrectly handled parsing certain SVG files. A remote attacker could possibly use this issue to cause librsvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11464) It was discovered that librsvg incorrectly handled parsing certain SVG files with nested patterns. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20446

Title: USN-4435-1: ClamAV vulnerabilities URL: https://ubuntu.com/security/notices/USN-4435-1 Priorities: medium Description: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled scanning malicious files. A local attacker could possibly use this issue to delete arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3327
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3481

Title: USN-4434-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4434-1 Priorities: medium Description: Ramin Farajpour Cami discovered that LibVNCServer incorrectly handled certain malformed unix socket names. A remote attacker could exploit this with a crafted socket name, leading to a denial of service, or possibly execute arbitrary code. (CVE-2019-20839) It was discovered that LibVNCServer did not properly access byte-aligned data. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20839
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14405

Title: USN-4431-1: FFmpeg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4431-1 Priorities: low,medium Description: It was discovered that FFmpeg incorrectly verified empty audio packets or HEVC data. An attacker could possibly use this issue to cause a denial of service via a crafted file. This issue only affected Ubuntu 16.04 LTS, as it was already fixed in Ubuntu 18.04 LTS. For more information see: https://usn.ubuntu.com/usn/usn-3967-1 (CVE-2018-15822,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11338
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17542
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12284
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13904

Title: USN-4428-1: Python vulnerabilities URL: https://ubuntu.com/security/notices/USN-4428-1 Priorities: low,medium Description: It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-17514) It was discovered that Python incorrectly handled certain TAR… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17514
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9674
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14422

Title: USN-4424-1: snapd vulnerabilities URL: https://ubuntu.com/security/notices/USN-4424-1 Priorities: medium Description: It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11933
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11934

Title: USN-4421-1: Thunderbird vulnerabilities URL: https://ubuntu.com/security/notices/USN-4421-1 Priorities: medium Description: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbtirary code. (CVE-2020-12405, CVE-2020-12406, CVE-2020-12410, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12405
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12406
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12410
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421

Title: USN-4419-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4419-1 Priorities: low,medium Description: It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690) Matthew Sheets discovered that the SELinux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4414-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4414-1 Priorities: low,medium,negligible Description: It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16089
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19036
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19039
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19318
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19377
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143

Title: USN-4416-1: GNU C Library vulnerabilities URL: https://ubuntu.com/security/notices/USN-4416-1 Priorities: low,medium Description: Florian Weimer discovered that the GNU C Library incorrectly handled certain memory operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12133) It was discovered that the GNU C Library… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18269
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11236
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11237
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19126
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10029
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1752

Title: USN-4415-1: coTURN vulnerabilities URL: https://ubuntu.com/security/notices/USN-4415-1 Priorities: medium Description: Felix Dörre discovered that coTURN response buffer is not initialized properly. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-4067) It was discovered that coTURN web server incorrectly handled HTTP POST requests. An attacker could possibly use this issue to cause a denial of service, obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-4067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6062

Title: USN-4408-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4408-1 Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12416
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12422
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12424
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12425
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12426

Title: USN-4409-1: Samba vulnerabilities URL: https://ubuntu.com/security/notices/USN-4409-1 Priorities: medium Description: Andrew Bartlett discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10730) Douglas Bagnall discovered that Samba… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10760

Title: USN-4407-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4407-1 Priorities: low,medium Description: It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680) It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20788

Title: USN-4403-1: Mutt vulnerability and regression URL: https://ubuntu.com/security/notices/USN-4403-1 Priorities: medium Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14954) This update also address a regression caused in the last update USN-4401-1. It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14954

Title: USN-4402-1: curl vulnerabilities URL: https://ubuntu.com/security/notices/USN-4402-1 Priorities: medium Description: Marek Szlagor, Gregory Jefferis and Jeroen Ooms discovered that curl incorrectly handled certain credentials. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-8169) It was discovered that curl incorrectly handled certain parameters. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8177

621.77

Available in VMware Tanzu Network

Release Date: July 20, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4397-1: NSS vulnerabilities URL: https://usn.ubuntu.com/4397-1/ Priorities: low,medium Description: It was discovered that NSS incorrectly handled the TLS State Machine. A remote attacker could possibly use this issue to cause NSS to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-17023) Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key generation. A local attacker… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399

Title: USN-4400-1: nfs-utils vulnerability URL: https://usn.ubuntu.com/4400-1/ Priorities: low Description: It was discovered that the nfs-utils package set incorrect permissions on the /var/lib/nfs directory. An attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3689

Title: USN-4396-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4396-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-0093, CVE-2020-0182) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a remote denial of service. (CVE-2020-0198) It was… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0182
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13112
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13114

Title: USN-4395-1: fwupd vulnerability URL: https://usn.ubuntu.com/4395-1/ Priorities: medium Description: Justin Steven discovered that fwupd incorrectly handled certain signature verification. An attacker could possibly use this issue to install an unsigned firmware. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10759

Title: USN-4398-1: DBus vulnerability URL: https://usn.ubuntu.com/4398-1/ Priorities: medium Description: Kevin Backhouse discovered that DBus incorrectly handled file descriptors. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12049

Title: USN-4401-1: Mutt vulnerabilities URL: https://usn.ubuntu.com/4401-1/ Priorities: medium,low Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14093) It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to proceeds with a connection even if the user rejects an expired intermediate… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14154

621.76

Available in VMware Tanzu Network

Release Date: June 17, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4385-1: Intel Microcode vulnerabilities URL: https://usn.ubuntu.com/4385-1/ Priorities: medium Description: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0548
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0549

Title: LSN-0068-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0068-1/ Priorities: medium Description: Several security issues were fixed in the kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12114

Title: USN-4386-1: libjpeg-turbo vulnerability URL: https://usn.ubuntu.com/4386-1/ Priorities: medium Description: It was discovered that libjpeg-turbo incorrectly handled certain PPM files. An attacker could possibly use this issue to access sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13790

Known Issue:

If you use the NSX-T Container Plugin (NCP) tile v3.0.1 or earlier, do not upgrade to stemcell 621.76. 621.76 is not compatible with the NCP tile v3.0.1 and causes the openvswitch job to fail when you deploy. Please upgrade the NCP tile to 3.0.2 before updating to stemcell 621.76 or newer.

621.75

Available in VMware Tanzu Network

Release Date: June 09, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4358-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4358-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain tags. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20030) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. (CVE-2020-12767) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12767

Title: USN-4351-1: Linux firmware vulnerability URL: https://usn.ubuntu.com/4351-1/ Priorities: medium Description: Eli Biham and Lior Neumann discovered that certain Bluetooth devices incorrectly validated key exchange parameters. An attacker could possibly use this issue to obtain sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-5383

Title: USN-4364-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4364-1/ Priorities: low,medium Description: It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11565
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668

Title: USN-4354-1: Mailman vulnerability URL: https://usn.ubuntu.com/4354-1/ Priorities: medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12108

Title: USN-4352-1: OpenLDAP vulnerability URL: https://usn.ubuntu.com/4352-1/ Priorities: medium Description: It was discovered that OpenLDAP incorrectly handled certain queries. A remote attacker could possibly use this issue to cause OpenLDAP to consume resources, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12243

Title: USN-4353-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4353-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, spoof the URL bar, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391, CVE-2020-12394,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12392
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12394
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12395
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6831

Title: USN-4360-1: json-c vulnerability URL: https://usn.ubuntu.com/4360-1/ Priorities: medium Description: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12762

Title: USN-4350-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4350-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.80 in Ubuntu 19.10 and Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.30. In addition to security fixes, the updated packages contain bug fixes,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2780
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2804
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2892
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2893
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2898
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2903
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2904
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2921
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2928
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2930

Title: USN-4359-1: APT vulnerability URL: https://usn.ubuntu.com/4359-1/ Priorities: medium Description: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3810

Title: USN-4365-1: Bind vulnerabilities URL: https://usn.ubuntu.com/4365-1/ Priorities: medium Description: Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616) Tobias Klein discovered that Bind incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8617

Title: LSN-0066-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0066-1/ Priorities: medium Description: Several security issues were fixed in the Linux kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649

621.74

Available in VMware Tanzu Network

Release Date: May 12, 2020

Metadata:

BOSH Agent Version: 2.268.16

USNs:

Title: USN-4339-1: OpenEXR vulnerabilities URL: https://usn.ubuntu.com/4339-1/ Priorities: low,medium Description: Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9111
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9115
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18444
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11758
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11764
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11765

Title: USN-4348-1: Mailman vulnerabilities URL: https://usn.ubuntu.com/4348-1/ Priorities: low,medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this to issue execute arbitrary scripts or HTML. (CVE-2018-0618) It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to display arbitrary text on a web page. (CVE-2018-13796) It was discovered… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12137

Title: USN-4349-1: EDK II vulnerabilities URL: https://usn.ubuntu.com/4349-1/ Priorities: medium,low Description: A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12178
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12180
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12181
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14558
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14587

Title: USN-4346-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4346-1/ Priorities: low,medium Description: It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4345-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4345-1/ Priorities: low,medium,high Description: Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11884
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4340-1: CUPS vulnerabilities URL: https://usn.ubuntu.com/4340-1/ Priorities: low,medium Description: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-2228) Stephan Zeisberg discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3898

Title: USN-4341-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4341-1/ Priorities: medium Description: Andrei Popa discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10700) It was discovered that Samba incorrectly handled certain LDAP… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10704

621.71

Available in VMware Tanzu Network

Release Date: April 23, 2020

Metadata:

BOSH Agent Version: 2.268.15

USNs:

Title: USN-4333-1: Python vulnerabilities URL: https://usn.ubuntu.com/4333-1/ Priorities: medium,low Description: It was discovered that Python incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-18348) It was discovered that Python incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-8492) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8492

Title: USN-4334-1: Git vulnerability URL: https://usn.ubuntu.com/4334-1/ Priorities: medium Description: Carlo Arenas discovered that Git incorrectly handled certain URLs containing newlines, empty hosts, or lacking a scheme. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11008

Title: USN-4332-1: File Roller vulnerability URL: https://usn.ubuntu.com/4332-1/ Priorities: medium Description: It was discovered that File Roller incorrectly handled symlinks. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11736

621.69

Available in VMware Tanzu Network

Release Date: April 21, 2020

Metadata:

BOSH Agent Version: 2.268.15

USNs:

Title: USN-4326-1: libiberty vulnerabilities URL: https://usn.ubuntu.com/4326-1/ Priorities: low,medium Description: It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12698
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12934
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17985
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18484
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9138
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14250
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9070
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9071

Title: USN-4323-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4323-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822, CVE-2020-6824, CVE-2020-6825, CVE-2020-6826) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6821
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6823
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6824
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6825
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6826

Title: USN-4320-1: Linux kernel vulnerability URL: https://usn.ubuntu.com/4320-1/ Priorities: medium Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428

Title: USN-4318-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4318-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Gustavo Romero and Paul Mackerras discovered that the KVM implementation in the Linux kernel for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8834
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4324-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4324-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

621.64

Available in VMware Tanzu Network

Release Date: April 06, 2020

Metadata:

BOSH Agent Version: 2.268.12

USNs:

Title: USN-4311-1: BlueZ vulnerabilities URL: https://usn.ubuntu.com/4311-1/ Priorities: low,medium Description: It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556) It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-7837
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0556

Title: USN-4316-1: GD Graphics Library vulnerabilities URL: https://usn.ubuntu.com/4316-1/ Priorities: low Description: It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553) It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11038

Title: USN-4134-3: IBus vulnerability URL: https://usn.ubuntu.com/4134-3/ Priorities: medium Description: USN-4134-1 fixed a vulnerability in IBus. The update caused a regression in some Qt applications and the fix was subsequently reverted in USN-4134-2. The regression has since been resolved and so this update fixes the original vulnerability. We apologize for the inconvenience. Original advisory details: Simon McVittie discovered that IBus did… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14822

Title: USN-4314-1: pam-krb5 vulnerability URL: https://usn.ubuntu.com/4314-1/ Priorities: medium Description: Russ Allbery discovered that pam-krb5 incorrectly handled some responses. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10595

Title: USN-4317-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4317-1/ Priorities: high Description: Two use-after-free bugs were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit these to cause a denial of service or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6819
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6820

Title: USN-4315-1: Apport vulnerabilities URL: https://usn.ubuntu.com/4315-1/ Priorities: high,medium Description: Maximilien Bourgeteau discovered that the Apport lock file was created with insecure permissions. This could allow a local attacker to escalate their privileges via a symlink attack. (CVE-2020-8831) Maximilien Bourgeteau discovered a race condition in Apport when setting crash report permissions. This could allow a local attacker to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8831
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8833

621.61

Available in VMware Tanzu Network

Release Date: March 24, 2020

Metadata:

BOSH Agent Version: 2.268.12

USNs:

Title: USN-4298-1: SQLite vulnerabilities URL: https://usn.ubuntu.com/4298-1/ Priorities: medium,low Description: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13734, CVE-2019-13750, CVE-2019-13753) It was discovered that SQLite incorrectly handled certain corrupt records. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13734
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13752
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19959
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9327

Title: USN-4299-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4299-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the URL or other browser chrome, obtain sensitive information, bypass Content Security Policy (CSP) protections, or execute arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6806
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6807
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6814
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6815

Title: USN-4296-1: Django vulnerability URL: https://usn.ubuntu.com/4296-1/ Priorities: medium Description: Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform an SQL injection attack. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9402

621.59

Available in VMware Tanzu Network

Release Date: March 03, 2020

Metadata:

BOSH Agent Version: 2.268.12

USNs:

Title: USN-4279-2: PHP regression URL: https://usn.ubuntu.com/4279-2/ Priorities: low Description: USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9253

Title: USN-4290-1: libpam-radius-auth vulnerability URL: https://usn.ubuntu.com/4290-1/ Priorities: medium Description: It was discovered that libpam-radius-auth incorrectly handled certain long passwords. A remote attacker could possibly use this issue to cause libpam-radius-auth to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9542

Title: USN-4292-1: rsync vulnerabilities URL: https://usn.ubuntu.com/4292-1/ Priorities: low Description: It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4289-1: Squid vulnerabilities URL: https://usn.ubuntu.com/4289-1/ Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could possibly use this issue to obtain sensitive information from Squid memory. (CVE-2019-12528) Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to access… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12528
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8449
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8450
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8517

Title: USN-4293-1: libarchive vulnerabilities URL: https://usn.ubuntu.com/4293-1/ Priorities: low,medium Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-19221) It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a crash resulting in a denial of service or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9308

Title: USN-4278-2: Firefox vulnerabilities URL: https://usn.ubuntu.com/4278-2/ Priorities: medium Description: USN-4278-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6798
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6801

Title: USN-4288-1: ppp vulnerability URL: https://usn.ubuntu.com/4288-1/ Priorities: medium Description: It was discovered that ppp incorrectly handled certain rhostname values. A remote attacker could use this issue to cause ppp to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8597

621.57

Available in VMware Tanzu Network

Release Date: February 19, 2020

Metadata:

BOSH Agent Version: 2.268.12

USNs:

Title: USN-4277-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4277-1/ Priorities: low,medium Description: Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2016-6328) Lili Xu and Bingchang Liu discovered that libexif incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6328
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-7544
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9278

Title: USN-4275-1: Qt vulnerabilities URL: https://usn.ubuntu.com/4275-1/ Priorities: low,medium Description: It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19872) It was discovered that Qt incorrectly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19872
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18281
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0569
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0570

Title: USN-4272-1: Pillow vulnerabilities URL: https://usn.ubuntu.com/4272-1/ Priorities: low,medium Description: It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-16865, CVE-2019-19911) It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-5312) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16865
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19911
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5313

Title: USN-4273-1: ReportLab vulnerability URL: https://usn.ubuntu.com/4273-1/ Priorities: medium Description: It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17626

Title: USN-4274-1: libxml2 vulnerabilities URL: https://usn.ubuntu.com/4274-1/ Priorities: low,medium Description: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-19956, CVE-2020-7595) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19956
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7595

621.55

Available in VMware Tanzu Network

Release Date: February 06, 2020

Metadata:

BOSH Agent Version: 2.268.12

USNs:

Title: USN-4259-1: Apache Solr vulnerability URL: https://usn.ubuntu.com/4259-1/ Priorities: high Description: Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12629

Title: USN-4252-1: tcpdump vulnerabilities URL: https://usn.ubuntu.com/4252-1/ Priorities: low,medium Description: Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10103
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10105
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14461
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14465
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14466
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14467
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14468
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14469
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14470
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14879
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14881
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14882
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16230
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16451
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16452
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19519
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1010220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15166
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15167

Title: USN-4254-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4254-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332

Title: USN-4255-2: Linux kernel (HWE) vulnerabilities URL: https://usn.ubuntu.com/4255-2/ Priorities: medium Description: USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4263-1: Sudo vulnerability URL: https://usn.ubuntu.com/4263-1/ Priorities: low Description: Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18634

Title: USN-4256-1: Cyrus SASL vulnerability URL: https://usn.ubuntu.com/4256-1/ Priorities: medium Description: It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19906

Title: USN-4265-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4265-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1931

Title: USN-4250-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4250-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2570
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2572
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2573
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2574
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2584
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2588
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2589
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2627
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2679
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2686
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2694

Title: USN-4257-1: OpenJDK vulnerabilities URL: https://usn.ubuntu.com/4257-1/ Priorities: low,medium Description: It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2590
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2601
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2604
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2659

621.51

Available in VMware Tanzu Network

Release Date: January 24, 2020

Bug Fixes

Metadata:

BOSH Agent Version: 2.268.11

USNs:

Title: USN-4246-1: zlib vulnerabilities URL: https://usn.ubuntu.com/4246-1/ Priorities: low Description: It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4248-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4248-1/ Priorities: medium Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16545
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17500
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17501
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17502
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17782
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17783

Title: USN-4244-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4244-1/ Priorities: low,medium Description: It was discovered that Samba did not automatically replicate ACLs set to inherit down a subtree on AD Directory, contrary to expectations. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-14902) Robert Święcki discovered that Samba incorrectly handled certain character conversions when the log level is… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14902
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19344

Title: USN-4247-1: python-apt vulnerabilities URL: https://usn.ubuntu.com/4247-1/ Priorities: medium Description: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795) It was discovered that python-apt could install packages from untrusted repositories, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15795
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15796

Title: USN-4249-1: e2fsprogs vulnerability URL: https://usn.ubuntu.com/4249-1/ Priorities: medium Description: It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5188

Title: USN-4245-1: PySAML2 vulnerability URL: https://usn.ubuntu.com/4245-1/ Priorities: medium Description: It was discovered that PySAML2 incorrectly handled certain SAML files. An attacker could possibly use this issue to bypass signature verification with arbitrary data. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5390

621.50

Available in VMware Tanzu Network

Release Date: January 21, 2020

Metadata:

BOSH Agent Version: 2.268.10

USNs:

Title: USN-4232-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4232-1/ Priorities: medium,low Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14165
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14504
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14733
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14994
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14997
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15277
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16353

Title: USN-4237-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4237-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. (CVE-2018-11805) It was discovered that SpamAssassin incorrectly handled certain messages. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12420

Title: USN-4238-1: SDL_image vulnerabilities URL: https://usn.ubuntu.com/4238-1/ Priorities: medium,low Description: It was discovered that SDL_image incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-3977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12216
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12219
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12222
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7635

Title: USN-4240-1: Kamailio vulnerability URL: https://usn.ubuntu.com/4240-1/ Priorities: high Description: It was discovered that Kamailio can be exploited by using a specially crafted message that can cause a buffer overflow issue. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8828

Title: USN-4239-1: PHP vulnerabilities URL: https://usn.ubuntu.com/4239-1/ Priorities: low Description: It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11046
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11047
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11050

Title: USN-4236-2: Libgcrypt vulnerability URL: https://usn.ubuntu.com/4236-2/ Priorities: medium Description: USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13627

Title: USN-4227-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4227-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16231
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19083
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19529
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19807

Title: USN-4228-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4228-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534

Title: USN-4230-1: ClamAV vulnerability URL: https://usn.ubuntu.com/4230-1/ Priorities: medium Description: It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15961

Title: USN-4231-1: NSS vulnerability URL: https://usn.ubuntu.com/4231-1/ Priorities: medium Description: It was discovered that NSS incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17006

Title: USN-4234-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4234-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass Content Security Policy (CSP) restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17016
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17017
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17025
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17026

Title: USN-4235-1: nginx vulnerability URL: https://usn.ubuntu.com/4235-1/ Priorities: medium Description: Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly handled certain error_page configurations. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks and access resources contrary to expectations. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20372

621.41

Available in VMware Tanzu Network

Release Date: February 04, 2020

BOSH Agent version: 2.268.9 USNs:

Title: USN-4222-1: GraphicsMagick vulnerabilities
URL: https://usn.ubuntu.com/4222-1/
Priorities: medium,low
Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11638
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11642
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12937
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13064
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13134
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13737
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13775
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13776
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13777

Title: USN-4216-2: Firefox vulnerabilities
URL: https://usn.ubuntu.com/4216-2/
Priorities: medium
Description: USN-4216-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17005
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17008
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17010
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17011
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17012
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17013
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17014

Title: USN-4220-1: Git vulnerabilities
URL: https://usn.ubuntu.com/4220-1/
Priorities: medium,low
Description: Joern Schneeweisz and Nicolas Joly discovered that Git contained various security flaws. An attacker could possibly use these issues to overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1349
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1353
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1354
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19604

Title: USN-4217-1: Samba vulnerabilities
URL: https://usn.ubuntu.com/4217-1/
Priorities: medium
Description: Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service. (CVE-2019-14861) Isaac Boukris discovered that Samba did not enforce the Kerberos DelegationNotAllowed feature restriction, contrary to…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14861
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14870

Title: USN-4219-1: libssh vulnerability
URL: https://usn.ubuntu.com/4219-1/
Priorities: medium
Description: It was discovered that libssh incorrectly handled certain scp commands. If a user or automated system were tricked into using a specially-crafted scp command, a remote attacker could execute arbitrary commands on the server.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14889

Title: USN-4221-1: libpcap vulnerability
URL: https://usn.ubuntu.com/4221-1/
Priorities: medium
Description: It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15165

Title: USN-4214-2: RabbitMQ vulnerability
URL: https://usn.ubuntu.com/4214-2/
Priorities: medium
Description: USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18609

Title: USN-4224-1: Django vulnerability
URL: https://usn.ubuntu.com/4224-1/
Priorities: high
Description: Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19844

Title: USN-4223-1: OpenJDK vulnerabilities
URL: https://usn.ubuntu.com/4223-1/
Priorities: medium
Description: Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side- channel vulnerability existed in the ECDSA implementation in OpenJDK. An Attacker could use this to expose sensitive information. (CVE-2019-2894) It was discovered that the Socket implementation in OpenJDK did not properly restrict the creation of subclasses with a custom…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2894
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2945
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2949
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2962
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2964
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2973
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2983
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2987
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2988
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2989
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2992
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2999

621.29

Available in VMware Tanzu Network

Release Date: December 10, 2019

BOSH Agent version: 2.268.7 USNs:

Title: USN-4211-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4211-1/
Priorities: medium,negligible
Description: Zhipeng Xie discovered that an infinite loop could be triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel did not properly validate SSID lengths. A physically proximate attacker could…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20784
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133

Title: USN-4205-1: SQLite vulnerabilities
URL: https://usn.ubuntu.com/4205-1/
Priorities: low,medium
Description: It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8740
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16168
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19242
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19244
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5827

Title: USN-4203-1: NSS vulnerability
URL: https://usn.ubuntu.com/4203-1/
Priorities: medium
Description: It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745

Title: USN-4213-1: Squid vulnerabilities
URL: https://usn.ubuntu.com/4213-1/
Priorities: medium,low
Description: Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote attacker could possibly use this issue to bypass access checks and access restricted servers. This issue was only addressed in Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-12523) Jeriko One discovered that Squid incorrectly handed URN…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12526
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12854
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18677
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18679

Title: USN-4210-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4210-1/
Priorities: medium,negligible,low
Description: It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746) Nicolas Waisman discovered that the WiFi driver stack in the Linux…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19075

Title: USN-4204-1: psutil vulnerability
URL: https://usn.ubuntu.com/4204-1/
Priorities: medium
Description: Riccardo Schirone discovered that psutil incorrectly handled certain reference counting operations. An attacker could use this issue to cause psutil to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18874

621.26

Release Date: November 26, 2019

BOSH Agent version: 2.268.7 USNs:

Title: USN-4198-1: DjVuLibre vulnerabilities
URL: https://usn.ubuntu.com/4198-1/
Priorities: low
Description: It was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15142
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15144
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15145
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18804

621.23

Release Date: November 18, 2019

BOSH Agent version: 2.268.6 USNs:

Title: USN-4186-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4186-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2215

Title: USN-4185-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4185-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666

Title: USN-4190-1: libjpeg-turbo vulnerabilities
URL: https://usn.ubuntu.com/4190-1/
Priorities: low,medium
Description: It was discovered that libjpeg-turbo incorrectly handled certain BMP images. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-14498) It was discovered that libjpeg-turbo incorrectly handled certain JPEG images. An attacker could possibly use this…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19664
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20330
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2201

Title: USN-4185-3: Linux kernel vulnerability and regression
URL: https://usn.ubuntu.com/4185-3/
Priorities: high
Description: USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. This update…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4186-3: Linux kernel vulnerability
URL: https://usn.ubuntu.com/4186-3/
Priorities: high
Description: USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. Original advisory details: Stephan van Schaik, Alyssa Milburn, Sebastian…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4182-1: Intel Microcode update
URL: https://usn.ubuntu.com/4182-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11139

Title: USN-4191-1: QEMU vulnerabilities
URL: https://usn.ubuntu.com/4191-1/
Priorities: low
Description: It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13164
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14378
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15890

Title: USN-4192-1: ImageMagick vulnerabilities
URL: https://usn.ubuntu.com/4192-1/
Priorities: low,negligible,medium
Description: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12976
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12979
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13137
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13454
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15139
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15140
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16708
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16709
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16710
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16713

621.12

Release Date: November 12, 2019

BOSH Agent version: 2.268.5 USNs:

Title: USN-4176-1: GNU cpio vulnerability
URL: https://usn.ubuntu.com/4176-1/
Priorities: medium
Description: Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14866

Title: USN-4174-1: HAproxy vulnerability
URL: https://usn.ubuntu.com/4174-1/
Priorities: medium
Description: It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18277

Title: USN-4175-1: Nokogiri vulnerability
URL: https://usn.ubuntu.com/4175-1/
Priorities: medium
Description: It was discovered that Nokogiri incorrectly handled inputs. A remote attacker could possibly use this issue to execute arbitrary OS commands.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5477

621.5

Release Date: October 31, 2019

New stemcell line!


BOSH Agent version: 2.268.3

456.x

This section includes release notes for the 456 line of Linux stemcells used with Ops Manager.

456.128

Available in VMware Tanzu Network

Release Date: November 16, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4587-1: iTALC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4587-1 Priorities: medium,low Description: Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn’t check malloc return values. A remote attacker could use these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055) Josef Gajdusek discovered that iTALC had… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9941
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15127
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20019
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20748
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20749
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681

Title: USN-4552-2: Pam-python vulnerability URL: https://ubuntu.com/security/notices/USN-4552-2 Priorities: medium Description: Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16729

456.126

Available in VMware Tanzu Network

Release Date: October 23, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4593-1: FreeType vulnerability URL: https://ubuntu.com/security/notices/USN-4593-1 Priorities: high Description: Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15999

456.125

Available in VMware Tanzu Network

Release Date: October 20, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4582-1: Vim vulnerabilities URL: https://ubuntu.com/security/notices/USN-4582-1 Priorities: low Description: It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-17087) It was discovered that Vim incorrectly handled restricted mode. A local attacker could possibly use this issue to bypass restricted… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17087
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20807

Title: USN-4579-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4579-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25285

Title: USN-4591-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4591-1 Priorities: high,medium Description: Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12352

Title: USN-4589-1: containerd vulnerability URL: https://ubuntu.com/security/notices/USN-4589-1 Priorities: medium Description: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s registry credentials. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4589-2: Docker vulnerability URL: https://ubuntu.com/security/notices/USN-4589-2 Priorities: medium Description: USN-4589-1 fixed a vulnerability in containerd. This update provides the corresponding update for docker.io. Original advisory details: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4581-1: Python vulnerability URL: https://ubuntu.com/security/notices/USN-4581-1 Priorities: medium Description: It was discovered that Python incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26116

Title: USN-4584-1: HtmlUnit vulnerability URL: https://ubuntu.com/security/notices/USN-4584-1 Priorities: medium Description: It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5529

Title: USN-4583-1: PHP vulnerabilities URL: https://ubuntu.com/security/notices/USN-4583-1 Priorities: medium Description: It was discovered that PHP incorrectly handled certain encrypt ciphers. An attacker could possibly use this issue to decrease security or cause incorrect encryption data. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7069) It was discorevered that PHP incorrectly handled certain HTTP cookies. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7069
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7070

456.123

Available in VMware Tanzu Network

Release Date: October 14, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4573-1: Vino vulnerabilities URL: https://ubuntu.com/security/notices/USN-4573-1 Priorities: medium,low Description: Nicolas Ruff discovered that Vino incorrectly handled large ClientCutText messages. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2014-6053) It was discovered that Vino incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404

Title: USN-4554-1: libPGF vulnerability URL: https://ubuntu.com/security/notices/USN-4554-1 Priorities: medium Description: It was discovered that libPGF lacked proper validation when opening a specially crafted PGF file. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-6673

Title: USN-4557-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4557-1 Priorities: low,medium Description: It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn’t exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-0762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6797
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-8735

Title: USN-4578-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4578-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19448
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16120
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26088

Title: USN-4547-2: SSVNC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4547-2 Priorities: medium Description: It was discovered that the LibVNCClient vendored in SSVNC incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-2024) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024

Title: USN-4571-1: rack-cors vulnerability URL: https://ubuntu.com/security/notices/USN-4571-1 Priorities: medium Description: It was discovered that rack-cors did not properly handle relative file paths. An attacker could use this vulnerability to access arbitrary files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18978

Title: USN-4572-1: Spice vulnerability URL: https://ubuntu.com/security/notices/USN-4572-1 Priorities: medium Description: Frediano Ziglio discovered that Spice incorrectly handled QUIC image decoding. A remote attacker could use this to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14355

Title: USN-4559-1: Samba update URL: https://ubuntu.com/security/notices/USN-4559-1 Priorities: medium Description: Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. While a previous security update fixed the issue by changing the “server schannel” setting to default to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1472

Title: USN-4551-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4551-1 Priorities: low,medium Description: Alex Rousskov and Amit Klein discovered that Squid incorrectly handled certain Content-Length headers. A remote attacker could possibly use this issue to perform an HTTP request smuggling attack, resulting in cache poisoning. (CVE-2020-15049) Amit Klein discovered that Squid incorrectly validated certain data. A remote attacker could possibly use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15049
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24606

Title: USN-4564-1: Apache Tika vulnerabilities URL: https://ubuntu.com/security/notices/USN-4564-1 Priorities: medium,low Description: It was discovered that Apache Tika can have an excessive memory usage by using a crafted or corrupt PSD file. An attacker could use it to cause a denial of service (crash). (CVE-2020-1950, CVE-2020-1951) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1950
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1951

Title: USN-4570-1: urllib3 vulnerability URL: https://ubuntu.com/security/notices/USN-4570-1 Priorities: medium Description: It was discovered that urllib3 incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26137

Title: USN-4568-1: Brotli vulnerability URL: https://ubuntu.com/security/notices/USN-4568-1 Priorities: medium Description: It was discovered that Brotli incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8927

456.121

Available in VMware Tanzu Network

Release Date: September 28, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4500-1: bsdiff vulnerabilities URL: https://ubuntu.com/security/notices/USN-4500-1 Priorities: medium Description: It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9862

Title: USN-4506-1: MCabber vulnerability URL: https://ubuntu.com/security/notices/USN-4506-1 Priorities: medium Description: It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9928

Title: USN-4513-1: apng2gif vulnerability URL: https://ubuntu.com/security/notices/USN-4513-1 Priorities: medium Description: Dileep Kumar Jallepalli discovered that apng2gif incorrectly handled loading APNG files. An attacker could exploit this with a crafted APNG file to access sensitive information. (CVE-2017-6960) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-6960

Title: USN-4517-1: Email-Address-List vulnerability URL: https://ubuntu.com/security/notices/USN-4517-1 Priorities: medium Description: It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service. (CVE-2018-18898) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18898

Title: USN-4507-1: ncmpc vulnerability URL: https://ubuntu.com/security/notices/USN-4507-1 Priorities: medium Description: It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9240

Title: USN-4499-1: MilkyTracker vulnerabilities URL: https://ubuntu.com/security/notices/USN-4499-1 Priorities: medium Description: It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14496
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14497

Title: USN-4504-1: OpenSSL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4504-1 Priorities: low Description: Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1551
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1968

Title: USN-4498-1: Loofah vulnerability URL: https://ubuntu.com/security/notices/USN-4498-1 Priorities: medium Description: It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15587

Title: USN-4496-1: Apache XML-RPC vulnerability URL: https://ubuntu.com/security/notices/USN-4496-1 Priorities: medium Description: It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17570

Title: USN-4526-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4526-1 Priorities: low,medium Description: It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808) It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12888
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14356
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16166

Title: USN-4527-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4527-1 Priorities: low,medium Description: It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054) It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9453
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212

Title: USN-4520-1: Exim SpamAssassin vulnerability URL: https://ubuntu.com/security/notices/USN-4520-1 Priorities: medium Description: It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-19920) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19920

Title: USN-4534-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4534-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20919

Title: USN-4535-1: RDFLib vulnerability URL: https://ubuntu.com/security/notices/USN-4535-1 Priorities: medium Description: Gabriel Corona discovered that RDFLib did not properly load modules on the command-line. An attacker could possibly use this issue to cause RDFLib to execute arbitrary code. (CVE-2019-7653) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7653

Title: USN-4528-1: Ceph vulnerabilities URL: https://ubuntu.com/security/notices/USN-4528-1 Priorities: medium Description: Adam Mohammed discovered that Ceph incorrectly handled certain CORS ExposeHeader tags. A remote attacker could possibly use this issue to preform an HTTP header injection attack. (CVE-2020-10753) Lei Cao discovered that Ceph incorrectly handled certain POST requests with invalid tagging XML. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12059
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1760

Title: USN-4518-1: xawtv vulnerability URL: https://ubuntu.com/security/notices/USN-4518-1 Priorities: low Description: Matthias Gerstner discovered that xawtv incorrectly handled opening files. A local attacker could possibly use this issue to open and write to arbitrary files and escalate privileges. (CVE-2020-13696) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13696

Title: USN-4521-1: pam_tacplus vulnerability URL: https://ubuntu.com/security/notices/USN-4521-1 Priorities: low Description: It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13881

Title: USN-4511-1: QEMU vulnerability URL: https://ubuntu.com/security/notices/USN-4511-1 Priorities: medium Description: Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14364

Title: USN-4503-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4503-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14392

Title: USN-4537-1: Aptdaemon vulnerability URL: https://ubuntu.com/security/notices/USN-4537-1 Priorities: medium Description: Vaisha Bernard discovered that Aptdaemon incorrectly handled the Locale property. A local attacker could use this issue to test for the presence of local files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15703

Title: USN-4519-1: PulseAudio vulnerability URL: https://ubuntu.com/security/notices/USN-4519-1 Priorities: medium Description: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15710

Title: USN-4501-1: LuaJIT vulnerability URL: https://ubuntu.com/security/notices/USN-4501-1 Priorities: low Description: It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15890

Title: USN-4538-1: PackageKit vulnerabilities URL: https://ubuntu.com/security/notices/USN-4538-1 Priorities: low,medium Description: Vaisha Bernard discovered that PackageKit incorrectly handled certain methods. A local attacker could use this issue to learn the MIME type of any file on the system. (CVE-2020-16121) Sami Niemimäki discovered that PackageKit incorrectly handled local deb packages. A local user could possibly use this issue to install untrusted packages, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16121
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16122

Title: USN-4514-1: libproxy vulnerability URL: https://ubuntu.com/security/notices/USN-4514-1 Priorities: medium Description: It was discovered that libproxy incorrectly handled certain PAC files. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25219

Title: USN-4508-1: StoreBackup vulnerability URL: https://ubuntu.com/security/notices/USN-4508-1 Priorities: medium Description: It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7040

Title: USN-4515-1: Pure-FTPd vulnerability URL: https://ubuntu.com/security/notices/USN-4515-1 Priorities: low Description: Antonio Norales discovered that Pure-FTPd incorrectly handled directory aliases. An attacker could possibly use this issue to access sensitive information. (CVE-2020-9274) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9274

456.120

Available in VMware Tanzu Network

Release Date: September 09, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4485-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4485-1 Priorities: low,medium,negligible Description: Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2018-20669) It was discovered that the Kvaser CAN/USB driver in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10781
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24394

Title: USN-4476-1: NSS vulnerability URL: https://ubuntu.com/security/notices/USN-4476-1 Priorities: medium Description: It was discovered that NSS incorrectly handled some inputs. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12403

Title: USN-4490-1: X.Org X Server vulnerability URL: https://ubuntu.com/security/notices/USN-4490-1 Priorities: medium Description: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14345

Title: USN-4489-1: Linux kernel vulnerability URL: https://ubuntu.com/security/notices/USN-4489-1 Priorities: high Description: Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14386

Title: USN-4482-1: Ark vulnerability URL: https://ubuntu.com/security/notices/USN-4482-1 Priorities: medium Description: Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24654

456.119

Available in VMware Tanzu Network

Release Date: August 27, 2020

Metadata:

BOSH Agent Version: 2.234.7 This release changes the way the Linux Google light stemcell works to reference a source image. It will lead to a decrease in the time it takes to upload the light stemcell. This change will also help mitigate the impact of the new GCP image creation rate limit which any user uploading more than 6 GCP stemcells an hour would hit.

USNs:

Title: USN-4459-1: Salt vulnerabilities URL: https://ubuntu.com/security/notices/USN-4459-1 Priorities: medium Description: It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11652

Title: USN-4467-1: QEMU vulnerabilities URL: https://ubuntu.com/security/notices/USN-4467-1 Priorities: medium,low Description: Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP echo requests. An attacker inside a guest could possibly use this issue to leak host memory to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-10756) Eric Blake and Xueqiang Wei… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12829
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13253
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13362
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13754
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15863
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16092

Title: USN-4463-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4463-1 Priorities: low Description: It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393

Title: USN-4469-1: Ghostscript vulnerabilities URL: https://ubuntu.com/security/notices/USN-4469-1 Priorities: medium Description: It was discovered that Ghostscript incorrectly handled certain document files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16287
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16288
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16289
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16290
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16292
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16293
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16294
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16296
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16298
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16299
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16302
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16303
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-17538

Title: USN-4466-1: curl vulnerability URL: https://ubuntu.com/security/notices/USN-4466-1 Priorities: low Description: Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8231

Title: USN-4468-1: Bind vulnerabilities URL: https://ubuntu.com/security/notices/USN-4468-1 Priorities: medium,low Description: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8621
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8622
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8624

456.118

Available in VMware Tanzu Network

Release Date: August 18, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: negligible,low,medium Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4446-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4446-1 Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled caching certain requests. A remote attacker could possibly use this issue to perform cache-injection attacks or gain access to reverse proxy features such as ESI. (CVE-2019-12520) Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12520
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4432-1: GRUB 2 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4432-1 Priorities: high,medium Description: Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713) Chris Coulson discovered that the GRUB2 function… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10713
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15705
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15706
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15707

Title: USN-4449-1: Apport vulnerabilities URL: https://ubuntu.com/security/notices/USN-4449-1 Priorities: medium Description: Ryota Shiga discovered that Apport incorrectly dropped privileges when making certain D-Bus calls. A local attacker could use this issue to read arbitrary files. (CVE-2020-11936) Seong-Joong Kim discovered that Apport incorrectly parsed configuration files. A local attacker could use this issue to cause Apport to crash, resulting in a denial of… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15702

Title: USN-4455-1: NSS vulnerabilities URL: https://ubuntu.com/security/notices/USN-4455-1 Priorities: medium Description: It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-12400, CVE-2020-12401, CVE-2020-6829) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6829

Title: USN-4448-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4448-1 Priorities: medium,low Description: It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause Tomcat to hang, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9484

Title: USN-4454-1: Samba vulnerability URL: https://ubuntu.com/security/notices/USN-4454-1 Priorities: medium Description: Martin von Wittich and Wilko Meyer discovered that Samba incorrectly handled certain empty UDP packets when being used as a AD DC NBT server. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14303

Title: USN-4441-1: MySQL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4441-1 Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.31. In addition to security fixes, the updated packages contain bug fixes, new features, and… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14540
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14550
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14568
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14576
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14597
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14619
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14624
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14631
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14632
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14633
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14634
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14663
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14702

Title: USN-4453-1: OpenJDK 8 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4453-1 Priorities: medium Description: Johannes Kuhn discovered that OpenJDK 8 incorrectly handled access control contexts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-14556) Philippe Arteau discovered that OpenJDK 8 incorrectly verified names in TLS server’s X.509 certificates. An attacker could possibly use this issue to obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14556
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14578
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14581
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14621

Title: USN-4443-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4443-1 Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass iframe sandbox restrictions, confuse the user, or execute arbitrary code. (CVE-2020-6463, CVE-2020-6514,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15652
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15653
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15658
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6514

Title: USN-4451-1: ppp vulnerability URL: https://ubuntu.com/security/notices/USN-4451-1 Priorities: medium Description: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15704

Title: USN-4447-1: libssh vulnerability URL: https://ubuntu.com/security/notices/USN-4447-1 Priorities: medium Description: It was discovered that libssh incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16135

456.116

Available in VMware Tanzu Network

Release Date: July 30, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: low,medium,negligible Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4436-1: librsvg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4436-1 Priorities: low Description: It was discovered that librsvg incorrectly handled parsing certain SVG files. A remote attacker could possibly use this issue to cause librsvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11464) It was discovered that librsvg incorrectly handled parsing certain SVG files with nested patterns. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20446

Title: USN-4435-1: ClamAV vulnerabilities URL: https://ubuntu.com/security/notices/USN-4435-1 Priorities: medium Description: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled scanning malicious files. A local attacker could possibly use this issue to delete arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3327
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3481

Title: USN-4434-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4434-1 Priorities: medium Description: Ramin Farajpour Cami discovered that LibVNCServer incorrectly handled certain malformed unix socket names. A remote attacker could exploit this with a crafted socket name, leading to a denial of service, or possibly execute arbitrary code. (CVE-2019-20839) It was discovered that LibVNCServer did not properly access byte-aligned data. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20839
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14405

Title: USN-4431-1: FFmpeg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4431-1 Priorities: low,medium Description: It was discovered that FFmpeg incorrectly verified empty audio packets or HEVC data. An attacker could possibly use this issue to cause a denial of service via a crafted file. This issue only affected Ubuntu 16.04 LTS, as it was already fixed in Ubuntu 18.04 LTS. For more information see: https://usn.ubuntu.com/usn/usn-3967-1 (CVE-2018-15822,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11338
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17542
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12284
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13904

Title: USN-4428-1: Python vulnerabilities URL: https://ubuntu.com/security/notices/USN-4428-1 Priorities: low,medium Description: It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-17514) It was discovered that Python incorrectly handled certain TAR… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17514
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9674
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14422

Title: USN-4424-1: snapd vulnerabilities URL: https://ubuntu.com/security/notices/USN-4424-1 Priorities: medium Description: It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11933
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11934

Title: USN-4421-1: Thunderbird vulnerabilities URL: https://ubuntu.com/security/notices/USN-4421-1 Priorities: medium Description: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbtirary code. (CVE-2020-12405, CVE-2020-12406, CVE-2020-12410, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12405
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12406
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12410
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421

Title: USN-4419-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4419-1 Priorities: low,medium Description: It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690) Matthew Sheets discovered that the SELinux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4414-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4414-1 Priorities: low,medium,negligible Description: It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16089
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19036
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19039
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19318
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19377
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143

Title: USN-4416-1: GNU C Library vulnerabilities URL: https://ubuntu.com/security/notices/USN-4416-1 Priorities: low,medium Description: Florian Weimer discovered that the GNU C Library incorrectly handled certain memory operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12133) It was discovered that the GNU C Library… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18269
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11236
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11237
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19126
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10029
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1752

Title: USN-4415-1: coTURN vulnerabilities URL: https://ubuntu.com/security/notices/USN-4415-1 Priorities: medium Description: Felix Dörre discovered that coTURN response buffer is not initialized properly. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-4067) It was discovered that coTURN web server incorrectly handled HTTP POST requests. An attacker could possibly use this issue to cause a denial of service, obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-4067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6062

Title: USN-4408-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4408-1 Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12416
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12422
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12424
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12425
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12426

Title: USN-4409-1: Samba vulnerabilities URL: https://ubuntu.com/security/notices/USN-4409-1 Priorities: medium Description: Andrew Bartlett discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10730) Douglas Bagnall discovered that Samba… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10760

Title: USN-4407-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4407-1 Priorities: low,medium Description: It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680) It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20788

Title: USN-4403-1: Mutt vulnerability and regression URL: https://ubuntu.com/security/notices/USN-4403-1 Priorities: medium Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14954) This update also address a regression caused in the last update USN-4401-1. It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14954

Title: USN-4402-1: curl vulnerabilities URL: https://ubuntu.com/security/notices/USN-4402-1 Priorities: medium Description: Marek Szlagor, Gregory Jefferis and Jeroen Ooms discovered that curl incorrectly handled certain credentials. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-8169) It was discovered that curl incorrectly handled certain parameters. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8177

456.115

Available in VMware Tanzu Network

Release Date: July 20, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4397-1: NSS vulnerabilities URL: https://usn.ubuntu.com/4397-1/ Priorities: low,medium Description: It was discovered that NSS incorrectly handled the TLS State Machine. A remote attacker could possibly use this issue to cause NSS to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-17023) Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key generation. A local attacker… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399

Title: USN-4400-1: nfs-utils vulnerability URL: https://usn.ubuntu.com/4400-1/ Priorities: low Description: It was discovered that the nfs-utils package set incorrect permissions on the /var/lib/nfs directory. An attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3689

Title: USN-4396-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4396-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-0093, CVE-2020-0182) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a remote denial of service. (CVE-2020-0198) It was… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0182
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13112
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13114

Title: USN-4395-1: fwupd vulnerability URL: https://usn.ubuntu.com/4395-1/ Priorities: medium Description: Justin Steven discovered that fwupd incorrectly handled certain signature verification. An attacker could possibly use this issue to install an unsigned firmware. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10759

Title: USN-4398-1: DBus vulnerability URL: https://usn.ubuntu.com/4398-1/ Priorities: medium Description: Kevin Backhouse discovered that DBus incorrectly handled file descriptors. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12049

Title: USN-4401-1: Mutt vulnerabilities URL: https://usn.ubuntu.com/4401-1/ Priorities: medium,low Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14093) It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to proceeds with a connection even if the user rejects an expired intermediate… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14154

456.114

Available in VMware Tanzu Network

Release Date: June 17, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4385-1: Intel Microcode vulnerabilities URL: https://usn.ubuntu.com/4385-1/ Priorities: medium Description: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0548
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0549

Title: LSN-0068-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0068-1/ Priorities: medium Description: Several security issues were fixed in the kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12114

Title: USN-4386-1: libjpeg-turbo vulnerability URL: https://usn.ubuntu.com/4386-1/ Priorities: medium Description: It was discovered that libjpeg-turbo incorrectly handled certain PPM files. An attacker could possibly use this issue to access sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13790

456.113

Available in VMware Tanzu Network

Release Date: June 10, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4358-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4358-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain tags. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20030) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. (CVE-2020-12767) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12767

Title: USN-4351-1: Linux firmware vulnerability URL: https://usn.ubuntu.com/4351-1/ Priorities: medium Description: Eli Biham and Lior Neumann discovered that certain Bluetooth devices incorrectly validated key exchange parameters. An attacker could possibly use this issue to obtain sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-5383

Title: USN-4364-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4364-1/ Priorities: low,medium Description: It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11565
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668

Title: USN-4354-1: Mailman vulnerability URL: https://usn.ubuntu.com/4354-1/ Priorities: medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12108

Title: USN-4352-1: OpenLDAP vulnerability URL: https://usn.ubuntu.com/4352-1/ Priorities: medium Description: It was discovered that OpenLDAP incorrectly handled certain queries. A remote attacker could possibly use this issue to cause OpenLDAP to consume resources, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12243

Title: USN-4353-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4353-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, spoof the URL bar, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391, CVE-2020-12394,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12392
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12394
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12395
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6831

Title: USN-4360-1: json-c vulnerability URL: https://usn.ubuntu.com/4360-1/ Priorities: medium Description: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12762

Title: USN-4350-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4350-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.80 in Ubuntu 19.10 and Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.30. In addition to security fixes, the updated packages contain bug fixes,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2780
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2804
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2892
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2893
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2898
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2903
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2904
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2921
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2928
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2930

Title: USN-4359-1: APT vulnerability URL: https://usn.ubuntu.com/4359-1/ Priorities: medium Description: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3810

Title: USN-4365-1: Bind vulnerabilities URL: https://usn.ubuntu.com/4365-1/ Priorities: medium Description: Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616) Tobias Klein discovered that Bind incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8617

Title: LSN-0066-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0066-1/ Priorities: medium Description: Several security issues were fixed in the Linux kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649

456.112

Available in VMware Tanzu Network

Release Date: May 12, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4339-1: OpenEXR vulnerabilities URL: https://usn.ubuntu.com/4339-1/ Priorities: low,medium Description: Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9111
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9115
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18444
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11758
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11764
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11765

Title: USN-4348-1: Mailman vulnerabilities URL: https://usn.ubuntu.com/4348-1/ Priorities: low,medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this to issue execute arbitrary scripts or HTML. (CVE-2018-0618) It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to display arbitrary text on a web page. (CVE-2018-13796) It was discovered… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12137

Title: USN-4349-1: EDK II vulnerabilities URL: https://usn.ubuntu.com/4349-1/ Priorities: medium,low Description: A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12178
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12180
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12181
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14558
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14587

Title: USN-4346-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4346-1/ Priorities: low,medium Description: It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4345-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4345-1/ Priorities: low,medium,high Description: Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11884
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4340-1: CUPS vulnerabilities URL: https://usn.ubuntu.com/4340-1/ Priorities: low,medium Description: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-2228) Stephan Zeisberg discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3898

Title: USN-4341-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4341-1/ Priorities: medium Description: Andrei Popa discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10700) It was discovered that Samba incorrectly handled certain LDAP… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10704

456.110

Available in VMware Tanzu Network

Release Date: April 23, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4333-1: Python vulnerabilities URL: https://usn.ubuntu.com/4333-1/ Priorities: medium,low Description: It was discovered that Python incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-18348) It was discovered that Python incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-8492) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8492

Title: USN-4334-1: Git vulnerability URL: https://usn.ubuntu.com/4334-1/ Priorities: medium Description: Carlo Arenas discovered that Git incorrectly handled certain URLs containing newlines, empty hosts, or lacking a scheme. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11008

Title: USN-4332-1: File Roller vulnerability URL: https://usn.ubuntu.com/4332-1/ Priorities: medium Description: It was discovered that File Roller incorrectly handled symlinks. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11736

456.108

Available in VMware Tanzu Network

Release Date: April 21, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4326-1: libiberty vulnerabilities URL: https://usn.ubuntu.com/4326-1/ Priorities: low,medium Description: It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12698
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12934
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17985
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18484
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9138
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14250
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9070
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9071

Title: USN-4323-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4323-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822, CVE-2020-6824, CVE-2020-6825, CVE-2020-6826) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6821
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6823
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6824
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6825
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6826

Title: USN-4320-1: Linux kernel vulnerability URL: https://usn.ubuntu.com/4320-1/ Priorities: medium Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428

Title: USN-4318-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4318-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Gustavo Romero and Paul Mackerras discovered that the KVM implementation in the Linux kernel for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8834
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4324-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4324-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

456.104

Available in VMware Tanzu Network

Release Date: April 06, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4311-1: BlueZ vulnerabilities URL: https://usn.ubuntu.com/4311-1/ Priorities: low,medium Description: It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556) It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-7837
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0556

Title: USN-4316-1: GD Graphics Library vulnerabilities URL: https://usn.ubuntu.com/4316-1/ Priorities: low Description: It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553) It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11038

Title: USN-4314-1: pam-krb5 vulnerability URL: https://usn.ubuntu.com/4314-1/ Priorities: medium Description: Russ Allbery discovered that pam-krb5 incorrectly handled some responses. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10595

Title: USN-4317-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4317-1/ Priorities: high Description: Two use-after-free bugs were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit these to cause a denial of service or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6819
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6820

Title: USN-4315-1: Apport vulnerabilities URL: https://usn.ubuntu.com/4315-1/ Priorities: high,medium Description: Maximilien Bourgeteau discovered that the Apport lock file was created with insecure permissions. This could allow a local attacker to escalate their privileges via a symlink attack. (CVE-2020-8831) Maximilien Bourgeteau discovered a race condition in Apport when setting crash report permissions. This could allow a local attacker to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8831
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8833

456.103

Available in VMware Tanzu Network

Release Date: March 24, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4298-1: SQLite vulnerabilities URL: https://usn.ubuntu.com/4298-1/ Priorities: medium,low Description: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13734, CVE-2019-13750, CVE-2019-13753) It was discovered that SQLite incorrectly handled certain corrupt records. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13734
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13752
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19959
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9327

Title: USN-4299-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4299-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the URL or other browser chrome, obtain sensitive information, bypass Content Security Policy (CSP) protections, or execute arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6806
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6807
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6814
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6815

Title: USN-4296-1: Django vulnerability URL: https://usn.ubuntu.com/4296-1/ Priorities: medium Description: Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform an SQL injection attack. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9402

456.100

Available in VMware Tanzu Network

Release Date: March 03, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4279-2: PHP regression URL: https://usn.ubuntu.com/4279-2/ Priorities: low Description: USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9253

Title: USN-4290-1: libpam-radius-auth vulnerability URL: https://usn.ubuntu.com/4290-1/ Priorities: medium Description: It was discovered that libpam-radius-auth incorrectly handled certain long passwords. A remote attacker could possibly use this issue to cause libpam-radius-auth to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9542

Title: USN-4292-1: rsync vulnerabilities URL: https://usn.ubuntu.com/4292-1/ Priorities: low Description: It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4289-1: Squid vulnerabilities URL: https://usn.ubuntu.com/4289-1/ Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could possibly use this issue to obtain sensitive information from Squid memory. (CVE-2019-12528) Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to access… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12528
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8449
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8450
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8517

Title: USN-4287-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4287-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15099
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16232
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18786
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19071
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19078
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19082
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4286-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4286-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19066
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108

Title: USN-4293-1: libarchive vulnerabilities URL: https://usn.ubuntu.com/4293-1/ Priorities: low,medium Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-19221) It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a crash resulting in a denial of service or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9308

Title: USN-4278-2: Firefox vulnerabilities URL: https://usn.ubuntu.com/4278-2/ Priorities: medium Description: USN-4278-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6798
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6801

Title: USN-4288-1: ppp vulnerability URL: https://usn.ubuntu.com/4288-1/ Priorities: medium Description: It was discovered that ppp incorrectly handled certain rhostname values. A remote attacker could use this issue to cause ppp to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8597

456.98

Available in VMware Tanzu Network

Release Date: February 18, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4277-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4277-1/ Priorities: low,medium Description: Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2016-6328) Lili Xu and Bingchang Liu discovered that libexif incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6328
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-7544
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9278

Title: USN-4275-1: Qt vulnerabilities URL: https://usn.ubuntu.com/4275-1/ Priorities: low,medium Description: It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19872) It was discovered that Qt incorrectly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19872
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18281
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0569
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0570

Title: USN-4272-1: Pillow vulnerabilities URL: https://usn.ubuntu.com/4272-1/ Priorities: low,medium Description: It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-16865, CVE-2019-19911) It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-5312) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16865
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19911
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5313

Title: USN-4273-1: ReportLab vulnerability URL: https://usn.ubuntu.com/4273-1/ Priorities: medium Description: It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17626

Title: USN-4274-1: libxml2 vulnerabilities URL: https://usn.ubuntu.com/4274-1/ Priorities: low,medium Description: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-19956, CVE-2020-7595) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19956
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7595

456.96

Available in VMware Tanzu Network

Release Date: February 06, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4246-1: zlib vulnerabilities URL: https://usn.ubuntu.com/4246-1/ Priorities: low Description: It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4259-1: Apache Solr vulnerability URL: https://usn.ubuntu.com/4259-1/ Priorities: high Description: Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12629

Title: USN-4248-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4248-1/ Priorities: medium Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16545
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17500
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17501
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17502
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17782
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17783

Title: USN-4252-1: tcpdump vulnerabilities URL: https://usn.ubuntu.com/4252-1/ Priorities: low,medium Description: Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10103
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10105
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14461
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14465
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14466
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14467
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14468
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14469
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14470
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14879
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14881
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14882
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16230
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16451
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16452
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19519
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1010220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15166
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15167

Title: USN-4254-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4254-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332

Title: USN-4255-2: Linux kernel (HWE) vulnerabilities URL: https://usn.ubuntu.com/4255-2/ Priorities: medium Description: USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4244-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4244-1/ Priorities: low,medium Description: It was discovered that Samba did not automatically replicate ACLs set to inherit down a subtree on AD Directory, contrary to expectations. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-14902) Robert Święcki discovered that Samba incorrectly handled certain character conversions when the log level is… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14902
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19344

Title: USN-4247-1: python-apt vulnerabilities URL: https://usn.ubuntu.com/4247-1/ Priorities: medium Description: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795) It was discovered that python-apt could install packages from untrusted repositories, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15795
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15796

Title: USN-4263-1: Sudo vulnerability URL: https://usn.ubuntu.com/4263-1/ Priorities: low Description: Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18634

Title: USN-4256-1: Cyrus SASL vulnerability URL: https://usn.ubuntu.com/4256-1/ Priorities: medium Description: It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19906

Title: USN-4249-1: e2fsprogs vulnerability URL: https://usn.ubuntu.com/4249-1/ Priorities: medium Description: It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5188

Title: USN-4265-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4265-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1931

Title: USN-4250-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4250-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2570
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2572
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2573
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2574
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2584
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2588
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2589
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2627
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2679
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2686
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2694

Title: USN-4257-1: OpenJDK vulnerabilities URL: https://usn.ubuntu.com/4257-1/ Priorities: low,medium Description: It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2590
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2601
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2604
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2659

Title: USN-4245-1: PySAML2 vulnerability URL: https://usn.ubuntu.com/4245-1/ Priorities: medium Description: It was discovered that PySAML2 incorrectly handled certain SAML files. An attacker could possibly use this issue to bypass signature verification with arbitrary data. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5390

456.93

Available in VMware Tanzu Network

Release Date: January 21, 2020

Metadata:

BOSH Agent Version: 2.234.7

USNs:

Title: USN-4232-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4232-1/ Priorities: medium,low Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14165
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14504
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14733
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14994
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14997
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15277
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16353

Title: USN-4237-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4237-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. (CVE-2018-11805) It was discovered that SpamAssassin incorrectly handled certain messages. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12420

Title: USN-4238-1: SDL_image vulnerabilities URL: https://usn.ubuntu.com/4238-1/ Priorities: medium,low Description: It was discovered that SDL_image incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-3977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12216
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12219
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12222
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7635

Title: USN-4240-1: Kamailio vulnerability URL: https://usn.ubuntu.com/4240-1/ Priorities: high Description: It was discovered that Kamailio can be exploited by using a specially crafted message that can cause a buffer overflow issue. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8828

Title: USN-4239-1: PHP vulnerabilities URL: https://usn.ubuntu.com/4239-1/ Priorities: low Description: It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11046
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11047
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11050

Title: USN-4236-2: Libgcrypt vulnerability URL: https://usn.ubuntu.com/4236-2/ Priorities: medium Description: USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13627

Title: USN-4227-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4227-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16231
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19083
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19529
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19807

Title: USN-4228-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4228-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534

Title: USN-4230-1: ClamAV vulnerability URL: https://usn.ubuntu.com/4230-1/ Priorities: medium Description: It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15961

Title: USN-4231-1: NSS vulnerability URL: https://usn.ubuntu.com/4231-1/ Priorities: medium Description: It was discovered that NSS incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17006

Title: USN-4234-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4234-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass Content Security Policy (CSP) restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17016
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17017
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17025
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17026

Title: USN-4235-1: nginx vulnerability URL: https://usn.ubuntu.com/4235-1/ Priorities: medium Description: Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly handled certain error_page configurations. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks and access resources contrary to expectations. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20372

456.84

Available in VMware Tanzu Network

Release Date: February 04, 2020

BOSH Agent version: 2.234.7 USNs:

Title: USN-4222-1: GraphicsMagick vulnerabilities
URL: https://usn.ubuntu.com/4222-1/
Priorities: medium,low
Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11638
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11642
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12937
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13064
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13134
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13737
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13775
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13776
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13777

Title: USN-4216-2: Firefox vulnerabilities
URL: https://usn.ubuntu.com/4216-2/
Priorities: medium
Description: USN-4216-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17005
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17008
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17010
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17011
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17012
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17013
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17014

Title: USN-4220-1: Git vulnerabilities
URL: https://usn.ubuntu.com/4220-1/
Priorities: medium,low
Description: Joern Schneeweisz and Nicolas Joly discovered that Git contained various security flaws. An attacker could possibly use these issues to overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1349
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1353
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1354
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19604

Title: USN-4217-1: Samba vulnerabilities
URL: https://usn.ubuntu.com/4217-1/
Priorities: medium
Description: Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service. (CVE-2019-14861) Isaac Boukris discovered that Samba did not enforce the Kerberos DelegationNotAllowed feature restriction, contrary to…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14861
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14870

Title: USN-4219-1: libssh vulnerability
URL: https://usn.ubuntu.com/4219-1/
Priorities: medium
Description: It was discovered that libssh incorrectly handled certain scp commands. If a user or automated system were tricked into using a specially-crafted scp command, a remote attacker could execute arbitrary commands on the server.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14889

Title: USN-4221-1: libpcap vulnerability
URL: https://usn.ubuntu.com/4221-1/
Priorities: medium
Description: It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15165

Title: USN-4214-2: RabbitMQ vulnerability
URL: https://usn.ubuntu.com/4214-2/
Priorities: medium
Description: USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18609

Title: USN-4224-1: Django vulnerability
URL: https://usn.ubuntu.com/4224-1/
Priorities: high
Description: Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19844

Title: USN-4223-1: OpenJDK vulnerabilities
URL: https://usn.ubuntu.com/4223-1/
Priorities: medium
Description: Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side- channel vulnerability existed in the ECDSA implementation in OpenJDK. An Attacker could use this to expose sensitive information. (CVE-2019-2894) It was discovered that the Socket implementation in OpenJDK did not properly restrict the creation of subclasses with a custom…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2894
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2945
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2949
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2962
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2964
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2973
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2983
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2987
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2988
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2989
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2992
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2999

456.77

Available in VMware Tanzu Network

Release Date: December 10, 2019

BOSH Agent version: 2.234.7 USNs:

Title: USN-4211-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4211-1/
Priorities: medium,negligible
Description: Zhipeng Xie discovered that an infinite loop could be triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel did not properly validate SSID lengths. A physically proximate attacker could…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20784
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133

Title: USN-4205-1: SQLite vulnerabilities
URL: https://usn.ubuntu.com/4205-1/
Priorities: low,medium
Description: It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8740
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16168
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19242
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19244
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5827

Title: USN-4203-1: NSS vulnerability
URL: https://usn.ubuntu.com/4203-1/
Priorities: medium
Description: It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745

Title: USN-4213-1: Squid vulnerabilities
URL: https://usn.ubuntu.com/4213-1/
Priorities: medium,low
Description: Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote attacker could possibly use this issue to bypass access checks and access restricted servers. This issue was only addressed in Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-12523) Jeriko One discovered that Squid incorrectly handed URN…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12526
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12854
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18677
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18679

Title: USN-4210-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4210-1/
Priorities: medium,negligible,low
Description: It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746) Nicolas Waisman discovered that the WiFi driver stack in the Linux…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19075

Title: USN-4204-1: psutil vulnerability
URL: https://usn.ubuntu.com/4204-1/
Priorities: medium
Description: Riccardo Schirone discovered that psutil incorrectly handled certain reference counting operations. An attacker could use this issue to cause psutil to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18874

456.74

Available in VMware Tanzu Network

Release Date: November 26, 2019

BOSH Agent version: 2.234.7 USNs:

Title: USN-4198-1: DjVuLibre vulnerabilities
URL: https://usn.ubuntu.com/4198-1/
Priorities: low
Description: It was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15142
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15144
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15145
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18804

456.69

Available in VMware Tanzu Network

Release Date: November 18, 2019

BOSH Agent version: 2.234.6 USNs:

Title: USN-4186-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4186-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2215

Title: USN-4185-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4185-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666

Title: USN-4190-1: libjpeg-turbo vulnerabilities
URL: https://usn.ubuntu.com/4190-1/
Priorities: low,medium
Description: It was discovered that libjpeg-turbo incorrectly handled certain BMP images. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-14498) It was discovered that libjpeg-turbo incorrectly handled certain JPEG images. An attacker could possibly use this…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19664
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20330
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2201

Title: USN-4185-3: Linux kernel vulnerability and regression
URL: https://usn.ubuntu.com/4185-3/
Priorities: high
Description: USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. This update…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4186-3: Linux kernel vulnerability
URL: https://usn.ubuntu.com/4186-3/
Priorities: high
Description: USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. Original advisory details: Stephan van Schaik, Alyssa Milburn, Sebastian…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4182-1: Intel Microcode update
URL: https://usn.ubuntu.com/4182-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11139

Title: USN-4191-1: QEMU vulnerabilities
URL: https://usn.ubuntu.com/4191-1/
Priorities: low
Description: It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13164
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14378
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15890

Title: USN-4192-1: ImageMagick vulnerabilities
URL: https://usn.ubuntu.com/4192-1/
Priorities: low,negligible,medium
Description: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12976
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12979
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13137
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13454
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15139
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15140
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16708
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16709
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16710
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16713

456.58

Available in VMware Tanzu Network

Release Date: November 12, 2019

BOSH Agent version: 2.234.6 USNs:

Title: USN-4171-1: Apport vulnerabilities
URL: https://usn.ubuntu.com/4171-1/
Priorities: low,medium
Description: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. (CVE-2019-11481) Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11481
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11482
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15790

Title: USN-4170-1: Whoopsie vulnerability
URL: https://usn.ubuntu.com/4170-1/
Priorities: medium
Description: Kevin Backhouse discovered Whoopsie incorrectly handled very large crash reports. A local attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute code as the whoopsie user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11484

Title: USN-4176-1: GNU cpio vulnerability
URL: https://usn.ubuntu.com/4176-1/
Priorities: medium
Description: Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14866

Title: USN-4172-1: file vulnerability
URL: https://usn.ubuntu.com/4172-1/
Priorities: medium
Description: It was discovered that file incorrectly handled certain malformed files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18218

Title: USN-4174-1: HAproxy vulnerability
URL: https://usn.ubuntu.com/4174-1/
Priorities: medium
Description: It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18277

Title: USN-4169-1: libarchive vulnerability
URL: https://usn.ubuntu.com/4169-1/
Priorities: medium
Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18408

Title: USN-4175-1: Nokogiri vulnerability
URL: https://usn.ubuntu.com/4175-1/
Priorities: medium
Description: It was discovered that Nokogiri incorrectly handled inputs. A remote attacker could possibly use this issue to execute arbitrary OS commands.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5477

456.51

Available in VMware Tanzu Network

Release Date: October 29, 2019

BOSH Agent version: 2.234.5

Addresses CVE-2019-17596

456.40

Available in VMware Tanzu Network

Release Date: October 24, 2019

BOSH Agent version: 2.234.3 USNs:

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11739

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11740

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11742

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11743

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11744

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11746

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11752

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13616

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7572

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7573

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7574

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7575

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7576

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7577

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7578

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7635

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7636

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7637

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7638

Title: USN-4154-1: Sudo vulnerability
URL: https://usn.ubuntu.com/4154-1/
Priorities: medium
Description: Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14287

Title: USN-4151-1: Python vulnerabilities
URL: https://usn.ubuntu.com/4151-1/
Priorities: medium,low
Description: It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied. (CVE-2019-16056) It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16056

Title: USN-4151-1: Python vulnerabilities
URL: https://usn.ubuntu.com/4151-1/
Priorities: medium,low
Description: It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied. (CVE-2019-16056) It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16935

Title: USN-4155-1: Aspell vulnerability
URL: https://usn.ubuntu.com/4155-1/
Priorities: medium
Description: It was discovered that Aspell incorrectly handled certain inputs. An attacker could potentially access sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17544

456.30

Available in VMware Tanzu Network

Release Date: October 08, 2019

BOSH Agent version: 2.234.2 USNs:

456.27

Available in VMware Tanzu Network

Release Date: September 24, 2019

BOSH Agent version: 2.234.2 USNs:

456.25

Available in VMware Tanzu Network

Release Date: September 19, 2019

BOSH Agent version: 2.117.13 USNs:

Title: USN-4128-1: Tomcat vulnerabilities
URL: https://usn.ubuntu.com/4128-1/
Priorities: low,medium
Description: It was discovered that the Tomcat 8 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221) It was discovered that Tomcat 8 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-10072

Title: USN-4133-1: Wireshark vulnerabilities
URL: https://usn.ubuntu.com/4133-1/
Priorities: low,medium
Description: It was discovered that Wireshark improperly handled certain input. A remote or local attacker could cause Wireshark to crash by injecting malformed packets onto the wire or convincing someone to read a malformed packet trace file.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13619

Title: USN-4134-1: IBus vulnerability
URL: https://usn.ubuntu.com/4134-1/
Priorities: medium
Description: Simon McVittie discovered that IBus did not enforce appropriate access controls on its private D-Bus socket. A local unprivileged user who discovers the IBus socket address of another user could exploit this to capture the key strokes of the other user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14822

Title: USN-4115-2: Linux kernel regression
URL: https://usn.ubuntu.com/4115-2
Description: USN 4115-1 introduced a regression in the Linux kernel
CVEs:

Title: USN-4135-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4135-1/
Priorities: high,medium
Description: Peter Pi discovered a buffer overflow in the virtio network backend (vhost_net) implementation in the Linux kernel. An attacker in a guest may be able to use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS. (CVE-2019-14835) It was discovered that the Linux kernel on PowerPC architectures did…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14835
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15031

Title: USN-4132-1: Expat vulnerability
URL: https://usn.ubuntu.com/4132-1/
Priorities: medium
Description: It was discovered that Expat incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15903

Title: USN-4129-1: curl vulnerabilities
URL: https://usn.ubuntu.com/4129-1/
Priorities: medium
Description: Thomas Vegas discovered that curl incorrectly handled memory when using Kerberos over FTP. A remote attacker could use this issue to crash curl, resulting in a denial of service. (CVE-2019-5481) Thomas Vegas discovered that curl incorrectly handled memory during TFTP transfers. A remote attacker could use this issue to crash curl, resulting in a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5481
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5482

456.22

Release Date: September 10, 2019

BOSH Agent version: 2.234.2 USNs:

Title: USN-4122-1: Firefox vulnerabilities
URL: https://usn.ubuntu.com/4122-1/
Priorities: medium,low,negligible
Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, bypass Content Security Policy (CSP) protections, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, cause a denial of service,…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9812

Title: USN-4124-1: Exim vulnerability
URL: https://usn.ubuntu.com/4124-1/
Priorities: high
Description: It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15846

456.16

Available in VMware Tanzu Network

Release Date: September 03, 2019

Updating golang to versions that fixed CVEs disclosed here: https://github.com/golang/go/issues/33606

For more details, please read: https://kb.cert.org/vuls/id/605641/ which describes all the CVEs that cause the HTTP/2 implementations vulnerable to DDOS. and https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752 which shows a matrix of what http/2 implementations are affected by which vulnerabilities.

Because stemcells are implemented in golang, the vulnerabilities fixed in this patch are: CVE-2019-9512, also known as Ping Flood CVE-2019-9514, also known as Reset Flood

456.14

Release Date: August 27, 2019

BOSH Agent version: 2.234.0 Bi-weekly stemcell release

456.12

Release Date: August 16, 2019

BOSH Agent version: 2.234.0 Bi-weekly stemcell bump

456.3

Release Date: August 01, 2019

BOSH Agent version: 2.234.0 Bi-weekly update

456.1

Release Date: August 01, 2019

BOSH Agent version: 2.234.0 First release for 456 major line

315.x

This section includes release notes for the 315 line of Linux stemcells used with Ops Manager.

315.201

Available in VMware Tanzu Network

Release Date: November 16, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4587-1: iTALC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4587-1 Priorities: medium,low Description: Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn’t check malloc return values. A remote attacker could use these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055) Josef Gajdusek discovered that iTALC had… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9941
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15127
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20019
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20748
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20749
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681

Title: USN-4552-2: Pam-python vulnerability URL: https://ubuntu.com/security/notices/USN-4552-2 Priorities: medium Description: Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16729

315.199

Available in VMware Tanzu Network

Release Date: October 23, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4593-1: FreeType vulnerability URL: https://ubuntu.com/security/notices/USN-4593-1 Priorities: high Description: Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15999

315.198

Available in VMware Tanzu Network

Release Date: October 20, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4582-1: Vim vulnerabilities URL: https://ubuntu.com/security/notices/USN-4582-1 Priorities: low Description: It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-17087) It was discovered that Vim incorrectly handled restricted mode. A local attacker could possibly use this issue to bypass restricted… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17087
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20807

Title: USN-4579-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4579-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25285

Title: USN-4591-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4591-1 Priorities: high,medium Description: Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12352

Title: USN-4589-1: containerd vulnerability URL: https://ubuntu.com/security/notices/USN-4589-1 Priorities: medium Description: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s registry credentials. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4589-2: Docker vulnerability URL: https://ubuntu.com/security/notices/USN-4589-2 Priorities: medium Description: USN-4589-1 fixed a vulnerability in containerd. This update provides the corresponding update for docker.io. Original advisory details: It was discovered that containerd could be made to expose sensitive information when processing URLs in container image manifests. A remote attacker could use this to trick the user and obtain the user’s… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15157

Title: USN-4581-1: Python vulnerability URL: https://ubuntu.com/security/notices/USN-4581-1 Priorities: medium Description: It was discovered that Python incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26116

Title: USN-4584-1: HtmlUnit vulnerability URL: https://ubuntu.com/security/notices/USN-4584-1 Priorities: medium Description: It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5529

Title: USN-4583-1: PHP vulnerabilities URL: https://ubuntu.com/security/notices/USN-4583-1 Priorities: medium Description: It was discovered that PHP incorrectly handled certain encrypt ciphers. An attacker could possibly use this issue to decrease security or cause incorrect encryption data. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7069) It was discorevered that PHP incorrectly handled certain HTTP cookies. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7069
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7070

315.196

Available in VMware Tanzu Network

Release Date: October 14, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4573-1: Vino vulnerabilities URL: https://ubuntu.com/security/notices/USN-4573-1 Priorities: medium,low Description: Nicolas Ruff discovered that Vino incorrectly handled large ClientCutText messages. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2014-6053) It was discovered that Vino incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7225
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404

Title: USN-4554-1: libPGF vulnerability URL: https://ubuntu.com/security/notices/USN-4554-1 Priorities: medium Description: It was discovered that libPGF lacked proper validation when opening a specially crafted PGF file. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-6673

Title: USN-4557-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4557-1 Priorities: low,medium Description: It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn’t exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-0762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6797
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-8735

Title: USN-4578-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4578-1 Priorities: low,medium,high Description: Hador Manor discovered that the DCCP protocol implementation in the Linux kernel improperly handled socket reuse, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-16119) Wen Xu discovered that the XFS file system in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10322
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19448
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16119
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16120
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26088

Title: USN-4547-2: SSVNC vulnerabilities URL: https://ubuntu.com/security/notices/USN-4547-2 Priorities: medium Description: It was discovered that the LibVNCClient vendored in SSVNC incorrectly handled certain packet lengths. A remote attacker could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-2024) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20021
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20024

Title: USN-4571-1: rack-cors vulnerability URL: https://ubuntu.com/security/notices/USN-4571-1 Priorities: medium Description: It was discovered that rack-cors did not properly handle relative file paths. An attacker could use this vulnerability to access arbitrary files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18978

Title: USN-4572-1: Spice vulnerability URL: https://ubuntu.com/security/notices/USN-4572-1 Priorities: medium Description: Frediano Ziglio discovered that Spice incorrectly handled QUIC image decoding. A remote attacker could use this to cause Spice to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14355

Title: USN-4559-1: Samba update URL: https://ubuntu.com/security/notices/USN-4559-1 Priorities: medium Description: Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin. While a previous security update fixed the issue by changing the “server schannel” setting to default to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1472

Title: USN-4551-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4551-1 Priorities: low,medium Description: Alex Rousskov and Amit Klein discovered that Squid incorrectly handled certain Content-Length headers. A remote attacker could possibly use this issue to perform an HTTP request smuggling attack, resulting in cache poisoning. (CVE-2020-15049) Amit Klein discovered that Squid incorrectly validated certain data. A remote attacker could possibly use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15049
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24606

Title: USN-4564-1: Apache Tika vulnerabilities URL: https://ubuntu.com/security/notices/USN-4564-1 Priorities: medium,low Description: It was discovered that Apache Tika can have an excessive memory usage by using a crafted or corrupt PSD file. An attacker could use it to cause a denial of service (crash). (CVE-2020-1950, CVE-2020-1951) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1950
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1951

Title: USN-4570-1: urllib3 vulnerability URL: https://ubuntu.com/security/notices/USN-4570-1 Priorities: medium Description: It was discovered that urllib3 incorrectly handled certain character sequences. A remote attacker could possibly use this issue to perform CRLF injection. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-26137

Title: USN-4568-1: Brotli vulnerability URL: https://ubuntu.com/security/notices/USN-4568-1 Priorities: medium Description: It was discovered that Brotli incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8927

315.194

Available in VMware Tanzu Network

Release Date: September 28, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4500-1: bsdiff vulnerabilities URL: https://ubuntu.com/security/notices/USN-4500-1 Priorities: medium Description: It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9862

Title: USN-4506-1: MCabber vulnerability URL: https://ubuntu.com/security/notices/USN-4506-1 Priorities: medium Description: It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9928

Title: USN-4513-1: apng2gif vulnerability URL: https://ubuntu.com/security/notices/USN-4513-1 Priorities: medium Description: Dileep Kumar Jallepalli discovered that apng2gif incorrectly handled loading APNG files. An attacker could exploit this with a crafted APNG file to access sensitive information. (CVE-2017-6960) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-6960

Title: USN-4517-1: Email-Address-List vulnerability URL: https://ubuntu.com/security/notices/USN-4517-1 Priorities: medium Description: It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service. (CVE-2018-18898) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18898

Title: USN-4507-1: ncmpc vulnerability URL: https://ubuntu.com/security/notices/USN-4507-1 Priorities: medium Description: It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9240

Title: USN-4499-1: MilkyTracker vulnerabilities URL: https://ubuntu.com/security/notices/USN-4499-1 Priorities: medium Description: It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14496
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14497

Title: USN-4504-1: OpenSSL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4504-1 Priorities: low Description: Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1551
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1968

Title: USN-4498-1: Loofah vulnerability URL: https://ubuntu.com/security/notices/USN-4498-1 Priorities: medium Description: It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15587

Title: USN-4496-1: Apache XML-RPC vulnerability URL: https://ubuntu.com/security/notices/USN-4496-1 Priorities: medium Description: It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17570

Title: USN-4526-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4526-1 Priorities: low,medium Description: It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808) It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12888
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14356
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16166

Title: USN-4527-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4527-1 Priorities: low,medium Description: It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054) It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9453
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212

Title: USN-4520-1: Exim SpamAssassin vulnerability URL: https://ubuntu.com/security/notices/USN-4520-1 Priorities: medium Description: It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-19920) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19920

Title: USN-4534-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4534-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20919

Title: USN-4535-1: RDFLib vulnerability URL: https://ubuntu.com/security/notices/USN-4535-1 Priorities: medium Description: Gabriel Corona discovered that RDFLib did not properly load modules on the command-line. An attacker could possibly use this issue to cause RDFLib to execute arbitrary code. (CVE-2019-7653) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7653

Title: USN-4528-1: Ceph vulnerabilities URL: https://ubuntu.com/security/notices/USN-4528-1 Priorities: medium Description: Adam Mohammed discovered that Ceph incorrectly handled certain CORS ExposeHeader tags. A remote attacker could possibly use this issue to preform an HTTP header injection attack. (CVE-2020-10753) Lei Cao discovered that Ceph incorrectly handled certain POST requests with invalid tagging XML. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12059
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1760

Title: USN-4518-1: xawtv vulnerability URL: https://ubuntu.com/security/notices/USN-4518-1 Priorities: low Description: Matthias Gerstner discovered that xawtv incorrectly handled opening files. A local attacker could possibly use this issue to open and write to arbitrary files and escalate privileges. (CVE-2020-13696) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13696

Title: USN-4521-1: pam_tacplus vulnerability URL: https://ubuntu.com/security/notices/USN-4521-1 Priorities: low Description: It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13881

Title: USN-4511-1: QEMU vulnerability URL: https://ubuntu.com/security/notices/USN-4511-1 Priorities: medium Description: Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14364

Title: USN-4503-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4503-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14392

Title: USN-4537-1: Aptdaemon vulnerability URL: https://ubuntu.com/security/notices/USN-4537-1 Priorities: medium Description: Vaisha Bernard discovered that Aptdaemon incorrectly handled the Locale property. A local attacker could use this issue to test for the presence of local files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15703

Title: USN-4519-1: PulseAudio vulnerability URL: https://ubuntu.com/security/notices/USN-4519-1 Priorities: medium Description: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15710

Title: USN-4501-1: LuaJIT vulnerability URL: https://ubuntu.com/security/notices/USN-4501-1 Priorities: low Description: It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15890

Title: USN-4538-1: PackageKit vulnerabilities URL: https://ubuntu.com/security/notices/USN-4538-1 Priorities: low,medium Description: Vaisha Bernard discovered that PackageKit incorrectly handled certain methods. A local attacker could use this issue to learn the MIME type of any file on the system. (CVE-2020-16121) Sami Niemimäki discovered that PackageKit incorrectly handled local deb packages. A local user could possibly use this issue to install untrusted packages, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16121
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16122

Title: USN-4514-1: libproxy vulnerability URL: https://ubuntu.com/security/notices/USN-4514-1 Priorities: medium Description: It was discovered that libproxy incorrectly handled certain PAC files. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25219

Title: USN-4508-1: StoreBackup vulnerability URL: https://ubuntu.com/security/notices/USN-4508-1 Priorities: medium Description: It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7040

Title: USN-4515-1: Pure-FTPd vulnerability URL: https://ubuntu.com/security/notices/USN-4515-1 Priorities: low Description: Antonio Norales discovered that Pure-FTPd incorrectly handled directory aliases. An attacker could possibly use this issue to access sensitive information. (CVE-2020-9274) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9274

315.193

Available in VMware Tanzu Network

Release Date: September 09, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4485-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4485-1 Priorities: low,medium,negligible Description: Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2018-20669) It was discovered that the Kvaser CAN/USB driver in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10781
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24394

Title: USN-4476-1: NSS vulnerability URL: https://ubuntu.com/security/notices/USN-4476-1 Priorities: medium Description: It was discovered that NSS incorrectly handled some inputs. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12403

Title: USN-4490-1: X.Org X Server vulnerability URL: https://ubuntu.com/security/notices/USN-4490-1 Priorities: medium Description: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14345

Title: USN-4489-1: Linux kernel vulnerability URL: https://ubuntu.com/security/notices/USN-4489-1 Priorities: high Description: Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14386

Title: USN-4482-1: Ark vulnerability URL: https://ubuntu.com/security/notices/USN-4482-1 Priorities: medium Description: Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24654

315.192

Available in VMware Tanzu Network

Release Date: August 27, 2020

Metadata:

BOSH Agent Version: 2.215.10 This release changes the way the Linux Google light stemcell works to reference a source image. It will lead to a decrease in the time it takes to upload the light stemcell. This change will also help mitigate the impact of the new GCP image creation rate limit which any user uploading more than 6 GCP stemcells an hour would hit.

USNs:

Title: USN-4459-1: Salt vulnerabilities URL: https://ubuntu.com/security/notices/USN-4459-1 Priorities: medium Description: It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11652

Title: USN-4467-1: QEMU vulnerabilities URL: https://ubuntu.com/security/notices/USN-4467-1 Priorities: medium,low Description: Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP echo requests. An attacker inside a guest could possibly use this issue to leak host memory to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-10756) Eric Blake and Xueqiang Wei… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12829
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13253
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13362
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13754
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15863
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16092

Title: USN-4463-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4463-1 Priorities: low Description: It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393

Title: USN-4469-1: Ghostscript vulnerabilities URL: https://ubuntu.com/security/notices/USN-4469-1 Priorities: medium Description: It was discovered that Ghostscript incorrectly handled certain document files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16287
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16288
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16289
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16290
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16292
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16293
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16294
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16296
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16298
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16299
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16302
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16303
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-17538

Title: USN-4466-1: curl vulnerability URL: https://ubuntu.com/security/notices/USN-4466-1 Priorities: low Description: Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8231

Title: USN-4468-1: Bind vulnerabilities URL: https://ubuntu.com/security/notices/USN-4468-1 Priorities: medium,low Description: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8621
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8622
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8624

315.191

Available in VMware Tanzu Network

Release Date: August 18, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: negligible,low,medium Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4446-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4446-1 Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled caching certain requests. A remote attacker could possibly use this issue to perform cache-injection attacks or gain access to reverse proxy features such as ESI. (CVE-2019-12520) Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12520
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4432-1: GRUB 2 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4432-1 Priorities: high,medium Description: Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713) Chris Coulson discovered that the GRUB2 function… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10713
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15705
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15706
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15707

Title: USN-4449-1: Apport vulnerabilities URL: https://ubuntu.com/security/notices/USN-4449-1 Priorities: medium Description: Ryota Shiga discovered that Apport incorrectly dropped privileges when making certain D-Bus calls. A local attacker could use this issue to read arbitrary files. (CVE-2020-11936) Seong-Joong Kim discovered that Apport incorrectly parsed configuration files. A local attacker could use this issue to cause Apport to crash, resulting in a denial of… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15702

Title: USN-4455-1: NSS vulnerabilities URL: https://ubuntu.com/security/notices/USN-4455-1 Priorities: medium Description: It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-12400, CVE-2020-12401, CVE-2020-6829) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6829

Title: USN-4448-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4448-1 Priorities: medium,low Description: It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause Tomcat to hang, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9484

Title: USN-4454-1: Samba vulnerability URL: https://ubuntu.com/security/notices/USN-4454-1 Priorities: medium Description: Martin von Wittich and Wilko Meyer discovered that Samba incorrectly handled certain empty UDP packets when being used as a AD DC NBT server. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14303

Title: USN-4441-1: MySQL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4441-1 Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.31. In addition to security fixes, the updated packages contain bug fixes, new features, and… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14540
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14550
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14568
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14576
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14597
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14619
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14624
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14631
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14632
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14633
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14634
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14663
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14702

Title: USN-4453-1: OpenJDK 8 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4453-1 Priorities: medium Description: Johannes Kuhn discovered that OpenJDK 8 incorrectly handled access control contexts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-14556) Philippe Arteau discovered that OpenJDK 8 incorrectly verified names in TLS server’s X.509 certificates. An attacker could possibly use this issue to obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14556
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14578
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14581
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14621

Title: USN-4443-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4443-1 Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass iframe sandbox restrictions, confuse the user, or execute arbitrary code. (CVE-2020-6463, CVE-2020-6514,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15652
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15653
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15658
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6514

Title: USN-4451-1: ppp vulnerability URL: https://ubuntu.com/security/notices/USN-4451-1 Priorities: medium Description: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15704

Title: USN-4447-1: libssh vulnerability URL: https://ubuntu.com/security/notices/USN-4447-1 Priorities: medium Description: It was discovered that libssh incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16135

315.189

Available in VMware Tanzu Network

Release Date: July 30, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: low,medium,negligible Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4436-1: librsvg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4436-1 Priorities: low Description: It was discovered that librsvg incorrectly handled parsing certain SVG files. A remote attacker could possibly use this issue to cause librsvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11464) It was discovered that librsvg incorrectly handled parsing certain SVG files with nested patterns. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20446

Title: USN-4435-1: ClamAV vulnerabilities URL: https://ubuntu.com/security/notices/USN-4435-1 Priorities: medium Description: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled scanning malicious files. A local attacker could possibly use this issue to delete arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3327
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3481

Title: USN-4434-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4434-1 Priorities: medium Description: Ramin Farajpour Cami discovered that LibVNCServer incorrectly handled certain malformed unix socket names. A remote attacker could exploit this with a crafted socket name, leading to a denial of service, or possibly execute arbitrary code. (CVE-2019-20839) It was discovered that LibVNCServer did not properly access byte-aligned data. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20839
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14405

Title: USN-4431-1: FFmpeg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4431-1 Priorities: low,medium Description: It was discovered that FFmpeg incorrectly verified empty audio packets or HEVC data. An attacker could possibly use this issue to cause a denial of service via a crafted file. This issue only affected Ubuntu 16.04 LTS, as it was already fixed in Ubuntu 18.04 LTS. For more information see: https://usn.ubuntu.com/usn/usn-3967-1 (CVE-2018-15822,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11338
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17542
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12284
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13904

Title: USN-4428-1: Python vulnerabilities URL: https://ubuntu.com/security/notices/USN-4428-1 Priorities: low,medium Description: It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-17514) It was discovered that Python incorrectly handled certain TAR… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17514
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9674
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14422

Title: USN-4424-1: snapd vulnerabilities URL: https://ubuntu.com/security/notices/USN-4424-1 Priorities: medium Description: It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11933
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11934

Title: USN-4421-1: Thunderbird vulnerabilities URL: https://ubuntu.com/security/notices/USN-4421-1 Priorities: medium Description: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbtirary code. (CVE-2020-12405, CVE-2020-12406, CVE-2020-12410, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12405
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12406
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12410
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421

Title: USN-4419-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4419-1 Priorities: low,medium Description: It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690) Matthew Sheets discovered that the SELinux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4414-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4414-1 Priorities: low,medium,negligible Description: It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16089
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19036
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19039
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19318
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19377
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143

Title: USN-4416-1: GNU C Library vulnerabilities URL: https://ubuntu.com/security/notices/USN-4416-1 Priorities: low,medium Description: Florian Weimer discovered that the GNU C Library incorrectly handled certain memory operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12133) It was discovered that the GNU C Library… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18269
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11236
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11237
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19126
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10029
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1752

Title: USN-4415-1: coTURN vulnerabilities URL: https://ubuntu.com/security/notices/USN-4415-1 Priorities: medium Description: Felix Dörre discovered that coTURN response buffer is not initialized properly. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-4067) It was discovered that coTURN web server incorrectly handled HTTP POST requests. An attacker could possibly use this issue to cause a denial of service, obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-4067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6062

Title: USN-4408-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4408-1 Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12416
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12422
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12424
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12425
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12426

Title: USN-4409-1: Samba vulnerabilities URL: https://ubuntu.com/security/notices/USN-4409-1 Priorities: medium Description: Andrew Bartlett discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10730) Douglas Bagnall discovered that Samba… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10760

Title: USN-4407-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4407-1 Priorities: low,medium Description: It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680) It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20788

Title: USN-4403-1: Mutt vulnerability and regression URL: https://ubuntu.com/security/notices/USN-4403-1 Priorities: medium Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14954) This update also address a regression caused in the last update USN-4401-1. It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14954

Title: USN-4402-1: curl vulnerabilities URL: https://ubuntu.com/security/notices/USN-4402-1 Priorities: medium Description: Marek Szlagor, Gregory Jefferis and Jeroen Ooms discovered that curl incorrectly handled certain credentials. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-8169) It was discovered that curl incorrectly handled certain parameters. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8177

315.188

Available in VMware Tanzu Network

Release Date: July 21, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4397-1: NSS vulnerabilities URL: https://usn.ubuntu.com/4397-1/ Priorities: low,medium Description: It was discovered that NSS incorrectly handled the TLS State Machine. A remote attacker could possibly use this issue to cause NSS to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-17023) Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key generation. A local attacker… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399

Title: USN-4400-1: nfs-utils vulnerability URL: https://usn.ubuntu.com/4400-1/ Priorities: low Description: It was discovered that the nfs-utils package set incorrect permissions on the /var/lib/nfs directory. An attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3689

Title: USN-4396-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4396-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-0093, CVE-2020-0182) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a remote denial of service. (CVE-2020-0198) It was… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0182
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13112
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13114

Title: USN-4395-1: fwupd vulnerability URL: https://usn.ubuntu.com/4395-1/ Priorities: medium Description: Justin Steven discovered that fwupd incorrectly handled certain signature verification. An attacker could possibly use this issue to install an unsigned firmware. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10759

Title: USN-4398-1: DBus vulnerability URL: https://usn.ubuntu.com/4398-1/ Priorities: medium Description: Kevin Backhouse discovered that DBus incorrectly handled file descriptors. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12049

Title: USN-4401-1: Mutt vulnerabilities URL: https://usn.ubuntu.com/4401-1/ Priorities: medium,low Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14093) It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to proceeds with a connection even if the user rejects an expired intermediate… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14154

315.185

Available in VMware Tanzu Network

Release Date: June 17, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4385-1: Intel Microcode vulnerabilities URL: https://usn.ubuntu.com/4385-1/ Priorities: medium Description: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0548
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0549

Title: LSN-0068-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0068-1/ Priorities: medium Description: Several security issues were fixed in the kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12114

Title: USN-4386-1: libjpeg-turbo vulnerability URL: https://usn.ubuntu.com/4386-1/ Priorities: medium Description: It was discovered that libjpeg-turbo incorrectly handled certain PPM files. An attacker could possibly use this issue to access sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13790

315.184

Available in VMware Tanzu Network

Release Date: June 09, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4358-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4358-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain tags. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20030) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. (CVE-2020-12767) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12767

Title: USN-4351-1: Linux firmware vulnerability URL: https://usn.ubuntu.com/4351-1/ Priorities: medium Description: Eli Biham and Lior Neumann discovered that certain Bluetooth devices incorrectly validated key exchange parameters. An attacker could possibly use this issue to obtain sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-5383

Title: USN-4364-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4364-1/ Priorities: low,medium Description: It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11565
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668

Title: USN-4354-1: Mailman vulnerability URL: https://usn.ubuntu.com/4354-1/ Priorities: medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12108

Title: USN-4352-1: OpenLDAP vulnerability URL: https://usn.ubuntu.com/4352-1/ Priorities: medium Description: It was discovered that OpenLDAP incorrectly handled certain queries. A remote attacker could possibly use this issue to cause OpenLDAP to consume resources, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12243

Title: USN-4353-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4353-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, spoof the URL bar, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391, CVE-2020-12394,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12392
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12394
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12395
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6831

Title: USN-4360-1: json-c vulnerability URL: https://usn.ubuntu.com/4360-1/ Priorities: medium Description: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12762

Title: USN-4350-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4350-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.80 in Ubuntu 19.10 and Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.30. In addition to security fixes, the updated packages contain bug fixes,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2780
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2804
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2892
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2893
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2898
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2903
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2904
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2921
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2928
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2930

Title: USN-4359-1: APT vulnerability URL: https://usn.ubuntu.com/4359-1/ Priorities: medium Description: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3810

Title: USN-4365-1: Bind vulnerabilities URL: https://usn.ubuntu.com/4365-1/ Priorities: medium Description: Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616) Tobias Klein discovered that Bind incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8617

Title: LSN-0066-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0066-1/ Priorities: medium Description: Several security issues were fixed in the Linux kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649

315.183

Available in VMware Tanzu Network

Release Date: May 12, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4339-1: OpenEXR vulnerabilities URL: https://usn.ubuntu.com/4339-1/ Priorities: low,medium Description: Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9111
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9115
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18444
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11758
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11764
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11765

Title: USN-4348-1: Mailman vulnerabilities URL: https://usn.ubuntu.com/4348-1/ Priorities: low,medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this to issue execute arbitrary scripts or HTML. (CVE-2018-0618) It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to display arbitrary text on a web page. (CVE-2018-13796) It was discovered… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12137

Title: USN-4349-1: EDK II vulnerabilities URL: https://usn.ubuntu.com/4349-1/ Priorities: medium,low Description: A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12178
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12180
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12181
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14558
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14587

Title: USN-4346-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4346-1/ Priorities: low,medium Description: It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4345-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4345-1/ Priorities: low,medium,high Description: Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11884
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4340-1: CUPS vulnerabilities URL: https://usn.ubuntu.com/4340-1/ Priorities: low,medium Description: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-2228) Stephan Zeisberg discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3898

Title: USN-4341-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4341-1/ Priorities: medium Description: Andrei Popa discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10700) It was discovered that Samba incorrectly handled certain LDAP… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10704

315.181

Available in VMware Tanzu Network

Release Date: April 23, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4335-1: Thunderbird vulnerabilities URL: https://usn.ubuntu.com/4335-1/ Priorities: medium,low,high Description: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, bypass same-origin restrictions, conduct cross-site scripting (XSS)… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11755
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11758
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11764
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15903
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17005
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17008
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17010
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17011
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17012
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17016
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17017
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17026
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6792
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6793
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6795
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6798
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6806
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6807
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6814
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6819
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6820
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6821
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6825

Title: USN-4333-1: Python vulnerabilities URL: https://usn.ubuntu.com/4333-1/ Priorities: medium,low Description: It was discovered that Python incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-18348) It was discovered that Python incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-8492) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8492

Title: USN-4334-1: Git vulnerability URL: https://usn.ubuntu.com/4334-1/ Priorities: medium Description: Carlo Arenas discovered that Git incorrectly handled certain URLs containing newlines, empty hosts, or lacking a scheme. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11008

Title: USN-4332-1: File Roller vulnerability URL: https://usn.ubuntu.com/4332-1/ Priorities: medium Description: It was discovered that File Roller incorrectly handled symlinks. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11736

315.179

Available in VMware Tanzu Network

Release Date: April 21, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4326-1: libiberty vulnerabilities URL: https://usn.ubuntu.com/4326-1/ Priorities: low,medium Description: It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12698
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12934
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17985
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18484
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9138
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14250
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9070
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9071

Title: USN-4323-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4323-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822, CVE-2020-6824, CVE-2020-6825, CVE-2020-6826) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6821
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6823
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6824
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6825
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6826

Title: USN-4320-1: Linux kernel vulnerability URL: https://usn.ubuntu.com/4320-1/ Priorities: medium Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428

Title: USN-4318-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4318-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Gustavo Romero and Paul Mackerras discovered that the KVM implementation in the Linux kernel for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8834
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4324-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4324-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

315.175

Available in VMware Tanzu Network

Release Date: April 06, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4311-1: BlueZ vulnerabilities URL: https://usn.ubuntu.com/4311-1/ Priorities: low,medium Description: It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556) It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-7837
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0556

Title: USN-4316-1: GD Graphics Library vulnerabilities URL: https://usn.ubuntu.com/4316-1/ Priorities: low Description: It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553) It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11038

Title: USN-4314-1: pam-krb5 vulnerability URL: https://usn.ubuntu.com/4314-1/ Priorities: medium Description: Russ Allbery discovered that pam-krb5 incorrectly handled some responses. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10595

Title: USN-4317-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4317-1/ Priorities: high Description: Two use-after-free bugs were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit these to cause a denial of service or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6819
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6820

Title: USN-4315-1: Apport vulnerabilities URL: https://usn.ubuntu.com/4315-1/ Priorities: high,medium Description: Maximilien Bourgeteau discovered that the Apport lock file was created with insecure permissions. This could allow a local attacker to escalate their privileges via a symlink attack. (CVE-2020-8831) Maximilien Bourgeteau discovered a race condition in Apport when setting crash report permissions. This could allow a local attacker to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8831
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8833

315.174

Available in VMware Tanzu Network

Release Date: March 24, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4298-1: SQLite vulnerabilities URL: https://usn.ubuntu.com/4298-1/ Priorities: medium,low Description: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13734, CVE-2019-13750, CVE-2019-13753) It was discovered that SQLite incorrectly handled certain corrupt records. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13734
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13752
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19959
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9327

Title: USN-4299-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4299-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the URL or other browser chrome, obtain sensitive information, bypass Content Security Policy (CSP) protections, or execute arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6806
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6807
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6814
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6815

Title: USN-4296-1: Django vulnerability URL: https://usn.ubuntu.com/4296-1/ Priorities: medium Description: Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform an SQL injection attack. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9402

315.171

Available in VMware Tanzu Network

Release Date: March 03, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4279-2: PHP regression URL: https://usn.ubuntu.com/4279-2/ Priorities: low Description: USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9253

Title: USN-4290-1: libpam-radius-auth vulnerability URL: https://usn.ubuntu.com/4290-1/ Priorities: medium Description: It was discovered that libpam-radius-auth incorrectly handled certain long passwords. A remote attacker could possibly use this issue to cause libpam-radius-auth to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9542

Title: USN-4292-1: rsync vulnerabilities URL: https://usn.ubuntu.com/4292-1/ Priorities: low Description: It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4289-1: Squid vulnerabilities URL: https://usn.ubuntu.com/4289-1/ Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could possibly use this issue to obtain sensitive information from Squid memory. (CVE-2019-12528) Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to access… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12528
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8449
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8450
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8517

Title: USN-4287-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4287-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15099
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16232
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18786
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19071
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19078
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19082
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4286-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4286-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19066
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108

Title: USN-4293-1: libarchive vulnerabilities URL: https://usn.ubuntu.com/4293-1/ Priorities: low,medium Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-19221) It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a crash resulting in a denial of service or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9308

Title: USN-4278-2: Firefox vulnerabilities URL: https://usn.ubuntu.com/4278-2/ Priorities: medium Description: USN-4278-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6798
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6801

Title: USN-4288-1: ppp vulnerability URL: https://usn.ubuntu.com/4288-1/ Priorities: medium Description: It was discovered that ppp incorrectly handled certain rhostname values. A remote attacker could use this issue to cause ppp to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8597

315.169

Available in VMware Tanzu Network

Release Date: February 18, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4277-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4277-1/ Priorities: low,medium Description: Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2016-6328) Lili Xu and Bingchang Liu discovered that libexif incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6328
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-7544
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9278

Title: USN-4275-1: Qt vulnerabilities URL: https://usn.ubuntu.com/4275-1/ Priorities: low,medium Description: It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19872) It was discovered that Qt incorrectly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19872
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18281
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0569
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0570

Title: USN-4272-1: Pillow vulnerabilities URL: https://usn.ubuntu.com/4272-1/ Priorities: low,medium Description: It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-16865, CVE-2019-19911) It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-5312) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16865
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19911
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5313

Title: USN-4273-1: ReportLab vulnerability URL: https://usn.ubuntu.com/4273-1/ Priorities: medium Description: It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17626

Title: USN-4274-1: libxml2 vulnerabilities URL: https://usn.ubuntu.com/4274-1/ Priorities: low,medium Description: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-19956, CVE-2020-7595) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19956
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7595

315.167

Available in VMware Tanzu Network

Release Date: February 06, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4246-1: zlib vulnerabilities URL: https://usn.ubuntu.com/4246-1/ Priorities: low Description: It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4259-1: Apache Solr vulnerability URL: https://usn.ubuntu.com/4259-1/ Priorities: high Description: Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12629

Title: USN-4248-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4248-1/ Priorities: medium Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16545
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17500
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17501
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17502
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17782
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17783

Title: USN-4252-1: tcpdump vulnerabilities URL: https://usn.ubuntu.com/4252-1/ Priorities: low,medium Description: Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10103
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10105
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14461
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14465
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14466
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14467
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14468
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14469
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14470
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14879
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14881
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14882
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16230
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16451
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16452
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19519
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1010220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15166
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15167

Title: USN-4254-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4254-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332

Title: USN-4255-2: Linux kernel (HWE) vulnerabilities URL: https://usn.ubuntu.com/4255-2/ Priorities: medium Description: USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4244-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4244-1/ Priorities: low,medium Description: It was discovered that Samba did not automatically replicate ACLs set to inherit down a subtree on AD Directory, contrary to expectations. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-14902) Robert Święcki discovered that Samba incorrectly handled certain character conversions when the log level is… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14902
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19344

Title: USN-4247-1: python-apt vulnerabilities URL: https://usn.ubuntu.com/4247-1/ Priorities: medium Description: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795) It was discovered that python-apt could install packages from untrusted repositories, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15795
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15796

Title: USN-4263-1: Sudo vulnerability URL: https://usn.ubuntu.com/4263-1/ Priorities: low Description: Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18634

Title: USN-4256-1: Cyrus SASL vulnerability URL: https://usn.ubuntu.com/4256-1/ Priorities: medium Description: It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19906

Title: USN-4249-1: e2fsprogs vulnerability URL: https://usn.ubuntu.com/4249-1/ Priorities: medium Description: It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5188

Title: USN-4265-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4265-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1931

Title: USN-4250-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4250-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2570
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2572
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2573
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2574
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2584
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2588
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2589
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2627
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2679
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2686
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2694

Title: USN-4257-1: OpenJDK vulnerabilities URL: https://usn.ubuntu.com/4257-1/ Priorities: low,medium Description: It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2590
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2601
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2604
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2659

Title: USN-4245-1: PySAML2 vulnerability URL: https://usn.ubuntu.com/4245-1/ Priorities: medium Description: It was discovered that PySAML2 incorrectly handled certain SAML files. An attacker could possibly use this issue to bypass signature verification with arbitrary data. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5390

315.163

Available in VMware Tanzu Network

Release Date: January 21, 2020

Metadata:

BOSH Agent Version: 2.215.10

USNs:

Title: USN-4232-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4232-1/ Priorities: medium,low Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14165
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14314
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14504
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14733
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14994
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-14997
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15277
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16353

Title: USN-4237-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4237-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. (CVE-2018-11805) It was discovered that SpamAssassin incorrectly handled certain messages. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12420

Title: USN-4238-1: SDL_image vulnerabilities URL: https://usn.ubuntu.com/4238-1/ Priorities: medium,low Description: It was discovered that SDL_image incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-3977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12216
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12219
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12222
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7635

Title: USN-4240-1: Kamailio vulnerability URL: https://usn.ubuntu.com/4240-1/ Priorities: high Description: It was discovered that Kamailio can be exploited by using a specially crafted message that can cause a buffer overflow issue. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8828

Title: USN-4239-1: PHP vulnerabilities URL: https://usn.ubuntu.com/4239-1/ Priorities: low Description: It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11046
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11047
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11050

Title: USN-4236-2: Libgcrypt vulnerability URL: https://usn.ubuntu.com/4236-2/ Priorities: medium Description: USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13627

Title: USN-4227-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4227-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16231
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19045
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19083
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19529
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19807

Title: USN-4228-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4228-1/ Priorities: medium,low Description: It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19534

Title: USN-4230-1: ClamAV vulnerability URL: https://usn.ubuntu.com/4230-1/ Priorities: medium Description: It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15961

Title: USN-4231-1: NSS vulnerability URL: https://usn.ubuntu.com/4231-1/ Priorities: medium Description: It was discovered that NSS incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17006

Title: USN-4234-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4234-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass Content Security Policy (CSP) restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17016
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17017
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17020
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17022
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17024
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17025
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17026

Title: USN-4235-1: nginx vulnerability URL: https://usn.ubuntu.com/4235-1/ Priorities: medium Description: Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly handled certain error_page configurations. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks and access resources contrary to expectations. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20372

315.154

Available in VMware Tanzu Network

Release Date: February 04, 2020

BOSH Agent version: 2.215.10 USNs:

Title: USN-4222-1: GraphicsMagick vulnerabilities
URL: https://usn.ubuntu.com/4222-1/
Priorities: medium,low
Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11638
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11642
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12937
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13064
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13134
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13737
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13775
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13776
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13777

Title: USN-4216-2: Firefox vulnerabilities
URL: https://usn.ubuntu.com/4216-2/
Priorities: medium
Description: USN-4216-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17005
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17008
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17010
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17011
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17012
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17013
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17014

Title: USN-4220-1: Git vulnerabilities
URL: https://usn.ubuntu.com/4220-1/
Priorities: medium,low
Description: Joern Schneeweisz and Nicolas Joly discovered that Git contained various security flaws. An attacker could possibly use these issues to overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1349
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1352
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1353
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1354
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19604

Title: USN-4217-1: Samba vulnerabilities
URL: https://usn.ubuntu.com/4217-1/
Priorities: medium
Description: Andreas Oster discovered that the Samba DNS management server incorrectly handled certain records. An authenticated attacker could possibly use this issue to crash Samba, resulting in a denial of service. (CVE-2019-14861) Isaac Boukris discovered that Samba did not enforce the Kerberos DelegationNotAllowed feature restriction, contrary to…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14861
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14870

Title: USN-4219-1: libssh vulnerability
URL: https://usn.ubuntu.com/4219-1/
Priorities: medium
Description: It was discovered that libssh incorrectly handled certain scp commands. If a user or automated system were tricked into using a specially-crafted scp command, a remote attacker could execute arbitrary commands on the server.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14889

Title: USN-4221-1: libpcap vulnerability
URL: https://usn.ubuntu.com/4221-1/
Priorities: medium
Description: It was discovered that libpcap did not properly validate PHB headers in some situations. An attacker could use this to cause a denial of service (memory exhaustion).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15165

Title: USN-4214-2: RabbitMQ vulnerability
URL: https://usn.ubuntu.com/4214-2/
Priorities: medium
Description: USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18609

Title: USN-4224-1: Django vulnerability
URL: https://usn.ubuntu.com/4224-1/
Priorities: high
Description: Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19844

Title: USN-4223-1: OpenJDK vulnerabilities
URL: https://usn.ubuntu.com/4223-1/
Priorities: medium
Description: Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side- channel vulnerability existed in the ECDSA implementation in OpenJDK. An Attacker could use this to expose sensitive information. (CVE-2019-2894) It was discovered that the Socket implementation in OpenJDK did not properly restrict the creation of subclasses with a custom…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2894
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2945
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2949
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2962
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2964
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2973
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2983
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2987
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2988
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2989
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2992
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2999

315.146

Available in VMware Tanzu Network

Release Date: December 10, 2019

BOSH Agent version: 2.215.10 USNs:

Title: USN-4211-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4211-1/
Priorities: medium,negligible
Description: Zhipeng Xie discovered that an infinite loop could be triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) Nicolas Waisman discovered that the WiFi driver stack in the Linux kernel did not properly validate SSID lengths. A physically proximate attacker could…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20784
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133

Title: USN-4205-1: SQLite vulnerabilities
URL: https://usn.ubuntu.com/4205-1/
Priorities: low,medium
Description: It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain schemas. An attacker could possibly use this issue to cause a denial of service. This issue…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-8740
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16168
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19242
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19244
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5018
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5827

Title: USN-4203-1: NSS vulnerability
URL: https://usn.ubuntu.com/4203-1/
Priorities: medium
Description: It was discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11745

Title: USN-4213-1: Squid vulnerabilities
URL: https://usn.ubuntu.com/4213-1/
Priorities: medium,low
Description: Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote attacker could possibly use this issue to bypass access checks and access restricted servers. This issue was only addressed in Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-12523) Jeriko One discovered that Squid incorrectly handed URN…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12526
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12854
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18677
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18679

Title: USN-4210-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4210-1/
Priorities: medium,negligible,low
Description: It was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746) Nicolas Waisman discovered that the WiFi driver stack in the Linux…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17075
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19075

Title: USN-4204-1: psutil vulnerability
URL: https://usn.ubuntu.com/4204-1/
Priorities: medium
Description: Riccardo Schirone discovered that psutil incorrectly handled certain reference counting operations. An attacker could use this issue to cause psutil to crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18874

315.143

Available in VMware Tanzu Network

Release Date: November 26, 2019

BOSH Agent version: 2.215.10 USNs:

Title: USN-4198-1: DjVuLibre vulnerabilities
URL: https://usn.ubuntu.com/4198-1/
Priorities: low
Description: It was discovered that DjVuLibre incorrectly handled certain memory operations. If a user or automated system were tricked into processing a specially crafted DjVu file, a remote attacker could cause applications to hang or crash, resulting in a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15142
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15144
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15145
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18804

315.141

Available in VMware Tanzu Network

Release Date: November 18, 2019

BOSH Agent version: 2.215.10 USNs:

Title: USN-4186-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4186-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2215

Title: USN-4185-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4185-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666

Title: USN-4190-1: libjpeg-turbo vulnerabilities
URL: https://usn.ubuntu.com/4190-1/
Priorities: low,medium
Description: It was discovered that libjpeg-turbo incorrectly handled certain BMP images. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-14498) It was discovered that libjpeg-turbo incorrectly handled certain JPEG images. An attacker could possibly use this…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19664
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20330
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2201

Title: USN-4185-3: Linux kernel vulnerability and regression
URL: https://usn.ubuntu.com/4185-3/
Priorities: high
Description: USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. This update…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4186-3: Linux kernel vulnerability
URL: https://usn.ubuntu.com/4186-3/
Priorities: high
Description: USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. Original advisory details: Stephan van Schaik, Alyssa Milburn, Sebastian…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4182-1: Intel Microcode update
URL: https://usn.ubuntu.com/4182-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11139

Title: USN-4191-1: QEMU vulnerabilities
URL: https://usn.ubuntu.com/4191-1/
Priorities: low
Description: It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13164
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14378
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15890

Title: USN-4192-1: ImageMagick vulnerabilities
URL: https://usn.ubuntu.com/4192-1/
Priorities: low,negligible,medium
Description: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12976
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12979
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13137
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13454
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15139
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15140
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16708
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16709
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16710
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16713

315.139

Release Date: November 26, 2019

BOSH Agent version: 2.215.10 USNs:

Title: USN-4186-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4186-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2215

Title: USN-4185-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4185-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12207
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0154
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15098
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17052
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17053
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17055
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17666

Title: USN-4190-1: libjpeg-turbo vulnerabilities
URL: https://usn.ubuntu.com/4190-1/
Priorities: low,medium
Description: It was discovered that libjpeg-turbo incorrectly handled certain BMP images. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-14498) It was discovered that libjpeg-turbo incorrectly handled certain JPEG images. An attacker could possibly use this…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19664
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20330
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2201

Title: USN-4185-3: Linux kernel vulnerability and regression
URL: https://usn.ubuntu.com/4185-3/
Priorities: high
Description: USN-4185-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Also, the update introduced a regression that broke KVM guests where extended page tables (EPT) are disabled or not supported. This update…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4186-3: Linux kernel vulnerability
URL: https://usn.ubuntu.com/4186-3/
Priorities: high
Description: USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. This update addresses the issue. We apologize for the inconvenience. Original advisory details: Stephan van Schaik, Alyssa Milburn, Sebastian…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0155

Title: USN-4182-1: Intel Microcode update
URL: https://usn.ubuntu.com/4182-1/
Priorities: high,medium
Description: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11139

Title: USN-4191-1: QEMU vulnerabilities
URL: https://usn.ubuntu.com/4191-1/
Priorities: low
Description: It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12155
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13164
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14378
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15890

Title: USN-4192-1: ImageMagick vulnerabilities
URL: https://usn.ubuntu.com/4192-1/
Priorities: low,negligible,medium
Description: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12975
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12976
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12977
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12978
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12979
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13135
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13137
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13454
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14981
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15139
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15140
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16708
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16709
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16710
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16713

315.133

Available in VMware Tanzu Network

Release Date: November 12, 2019

BOSH Agent version: 2.215.10 USNs:

Title: USN-4171-1: Apport vulnerabilities
URL: https://usn.ubuntu.com/4171-1/
Priorities: low,medium
Description: Kevin Backhouse discovered Apport would read its user-controlled settings file as the root user. This could be used by a local attacker to possibly crash Apport or have other unspecified consequences. (CVE-2019-11481) Sander Bos discovered a race-condition in Apport during core dump creation. This could be used by a local attacker to generate a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11481
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11482
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15790

Title: USN-4170-1: Whoopsie vulnerability
URL: https://usn.ubuntu.com/4170-1/
Priorities: medium
Description: Kevin Backhouse discovered Whoopsie incorrectly handled very large crash reports. A local attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute code as the whoopsie user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11484

Title: USN-4176-1: GNU cpio vulnerability
URL: https://usn.ubuntu.com/4176-1/
Priorities: medium
Description: Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14866

Title: USN-4172-1: file vulnerability
URL: https://usn.ubuntu.com/4172-1/
Priorities: medium
Description: It was discovered that file incorrectly handled certain malformed files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18218

Title: USN-4174-1: HAproxy vulnerability
URL: https://usn.ubuntu.com/4174-1/
Priorities: medium
Description: It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling).
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18277

Title: USN-4169-1: libarchive vulnerability
URL: https://usn.ubuntu.com/4169-1/
Priorities: medium
Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18408

Title: USN-4175-1: Nokogiri vulnerability
URL: https://usn.ubuntu.com/4175-1/
Priorities: medium
Description: It was discovered that Nokogiri incorrectly handled inputs. A remote attacker could possibly use this issue to execute arbitrary OS commands.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5477

315.126

Available in VMware Tanzu Network

Release Date: October 29, 2019

BOSH Agent version: 2.215.9

Addresses CVE-2019-17596

315.114

Available in VMware Tanzu Network

Release Date: October 24, 2019

BOSH Agent version: 2.215.7 USNs:

Title: USN-4150-1: Thunderbird vulnerabilities
URL: https://usn.ubuntu.com/4150-1/
Priorities: medium
Description: It was discovered that encrypted S/MIME parts in a multipart message can leak plaintext contents when included in a HTML reply or forward in some circumstances. If a user were tricked in to replying to or forwarding a specially crafted message, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11739) Multiple…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11739
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11740
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11742
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11743
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11744
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11746
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11752

Title: USN-4156-1: SDL vulnerabilities
URL: https://usn.ubuntu.com/4156-1/
Priorities: low,medium
Description: It was discovered that SDL incorrectly handled certain images. If a user were tricked into opening a crafted image file, a remote attacker could use this issue to cause SDL to crash, resulting in a denial of service, or possibly execute arbitary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7572
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7573
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7574
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7576
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7578
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7635
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7636
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7637
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7638

Title: USN-4154-1: Sudo vulnerability
URL: https://usn.ubuntu.com/4154-1/
Priorities: medium
Description: Joe Vennix discovered that Sudo incorrectly handled certain user IDs. An attacker could potentially exploit this to execute arbitrary commands as the root user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14287

Title: USN-4151-1: Python vulnerabilities
URL: https://usn.ubuntu.com/4151-1/
Priorities: medium,low
Description: It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied. (CVE-2019-16056) It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16935

Title: USN-4155-1: Aspell vulnerability
URL: https://usn.ubuntu.com/4155-1/
Priorities: medium
Description: It was discovered that Aspell incorrectly handled certain inputs. An attacker could potentially access sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17544

315.103

Available in VMware Tanzu Network

Release Date: October 08, 2019

BOSH Agent version: 2.215.5 USNs:

315.99

Available in VMware Tanzu Network

Release Date: September 24, 2019

BOSH Agent version: 2.215.4 USNs:

315.97

Available in VMware Tanzu Network

Release Date: September 19, 2019

BOSH Agent version: 2.117.13 USNs:

Title: USN-4128-1: Tomcat vulnerabilities
URL: https://usn.ubuntu.com/4128-1/
Priorities: low,medium
Description: It was discovered that the Tomcat 8 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221) It was discovered that Tomcat 8 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-10072

Title: USN-4133-1: Wireshark vulnerabilities
URL: https://usn.ubuntu.com/4133-1/
Priorities: low,medium
Description: It was discovered that Wireshark improperly handled certain input. A remote or local attacker could cause Wireshark to crash by injecting malformed packets onto the wire or convincing someone to read a malformed packet trace file.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13619

Title: USN-4134-1: IBus vulnerability
URL: https://usn.ubuntu.com/4134-1/
Priorities: medium
Description: Simon McVittie discovered that IBus did not enforce appropriate access controls on its private D-Bus socket. A local unprivileged user who discovers the IBus socket address of another user could exploit this to capture the key strokes of the other user.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14822

Title: USN-4115-2: Linux kernel regression
URL: https://usn.ubuntu.com/4115-2
Description: USN 4115-1 introduced a regression in the Linux kernel
CVEs:

Title: USN-4135-1: Linux kernel vulnerabilities
URL: https://usn.ubuntu.com/4135-1/
Priorities: high,medium
Description: Peter Pi discovered a buffer overflow in the virtio network backend (vhost_net) implementation in the Linux kernel. An attacker in a guest may be able to use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS. (CVE-2019-14835) It was discovered that the Linux kernel on PowerPC architectures did…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14835
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15031

Title: USN-4132-1: Expat vulnerability
URL: https://usn.ubuntu.com/4132-1/
Priorities: medium
Description: It was discovered that Expat incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15903

Title: USN-4129-1: curl vulnerabilities
URL: https://usn.ubuntu.com/4129-1/
Priorities: medium
Description: Thomas Vegas discovered that curl incorrectly handled memory when using Kerberos over FTP. A remote attacker could use this issue to crash curl, resulting in a denial of service. (CVE-2019-5481) Thomas Vegas discovered that curl incorrectly handled memory during TFTP transfers. A remote attacker could use this issue to crash curl, resulting in a…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5481
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5482

315.93

Release Date: September 10, 2019

BOSH Agent version: 2.215.4 USNs:

Title: USN-4122-1: Firefox vulnerabilities
URL: https://usn.ubuntu.com/4122-1/
Priorities: medium,low,negligible
Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, bypass Content Security Policy (CSP) protections, bypass same-origin restrictions, conduct cross-site scripting (XSS) attacks, cause a denial of service,…
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9812

Title: USN-4124-1: Exim vulnerability
URL: https://usn.ubuntu.com/4124-1/
Priorities: high
Description: It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15846

315.89

Available in VMware Tanzu Network

Release Date: September 03, 2019

BOSH Agent version: 2.215.4 USNs:

Title: USN-4110-1: Dovecot vulnerability
URL: https://usn.ubuntu.com/4110-1/
Priorities: high
Description: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11500

Updating golang to versions that fixed CVEs disclosed here: https://github.com/golang/go/issues/33606

For more details, please read: https://kb.cert.org/vuls/id/605641/ which describes all the CVEs that cause the HTTP/2 implementations vulnerable to DDOS. and https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752 which shows a matrix of what http/2 implementations are affected by which vulnerabilities.

Because stemcells are implemented in golang, the vulnerabilities fixed in this patch are: CVE-2019-9512, also known as Ping Flood CVE-2019-9514, also known as Reset Flood

315.83

Available in VMware Tanzu Network

Release Date: August 27, 2019

BOSH Agent version: 2.215.3 Bi-weekly stemcell release

315.81

Available in VMware Tanzu Network

Release Date: August 16, 2019

BOSH Agent version: 2.215.3 Bi-weekly stemcell bump

315.72

Available in VMware Tanzu Network

Release Date: August 01, 2019

BOSH Agent version: 2.215.3 Bi-weekly update

315.70

Available in VMware Tanzu Network

Release Date: July 17, 2019

BOSH Agent version: 2.215.3

315.64

Available in VMware Tanzu Network

Release Date: July 11, 2019

Bi-weekly Agent Bump (July 3rd)

315.45

Available in VMware Tanzu Network

Release Date: June 25, 2019

BOSH Agent version: 2.215.3 USNs: https://usn.ubuntu.com/3977-3/

315.41

Available in VMware Tanzu Network

Release Date: June 18, 2019

CVE fixes for https://usn.ubuntu.com/4017-1/

250.x

This section includes release notes for the 250 line of Linux stemcells used with Ops Manager.

250.207

Available in VMware Tanzu Network

Release Date: September 28, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4500-1: bsdiff vulnerabilities URL: https://ubuntu.com/security/notices/USN-4500-1 Priorities: medium Description: It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9862

Title: USN-4506-1: MCabber vulnerability URL: https://ubuntu.com/security/notices/USN-4506-1 Priorities: medium Description: It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9928

Title: USN-4513-1: apng2gif vulnerability URL: https://ubuntu.com/security/notices/USN-4513-1 Priorities: medium Description: Dileep Kumar Jallepalli discovered that apng2gif incorrectly handled loading APNG files. An attacker could exploit this with a crafted APNG file to access sensitive information. (CVE-2017-6960) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-6960

Title: USN-4517-1: Email-Address-List vulnerability URL: https://ubuntu.com/security/notices/USN-4517-1 Priorities: medium Description: It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service. (CVE-2018-18898) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18898

Title: USN-4507-1: ncmpc vulnerability URL: https://ubuntu.com/security/notices/USN-4507-1 Priorities: medium Description: It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9240

Title: USN-4499-1: MilkyTracker vulnerabilities URL: https://ubuntu.com/security/notices/USN-4499-1 Priorities: medium Description: It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14496
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14497

Title: USN-4504-1: OpenSSL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4504-1 Priorities: low Description: Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1551
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1968

Title: USN-4498-1: Loofah vulnerability URL: https://ubuntu.com/security/notices/USN-4498-1 Priorities: medium Description: It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15587

Title: USN-4496-1: Apache XML-RPC vulnerability URL: https://ubuntu.com/security/notices/USN-4496-1 Priorities: medium Description: It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17570

Title: USN-4526-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4526-1 Priorities: low,medium Description: It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808) It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12888
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14356
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16166

Title: USN-4527-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4527-1 Priorities: low,medium Description: It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054) It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19054
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19073
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19074
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9445
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9453
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25212

Title: USN-4520-1: Exim SpamAssassin vulnerability URL: https://ubuntu.com/security/notices/USN-4520-1 Priorities: medium Description: It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-19920) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19920

Title: USN-4534-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4534-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20919

Title: USN-4535-1: RDFLib vulnerability URL: https://ubuntu.com/security/notices/USN-4535-1 Priorities: medium Description: Gabriel Corona discovered that RDFLib did not properly load modules on the command-line. An attacker could possibly use this issue to cause RDFLib to execute arbitrary code. (CVE-2019-7653) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7653

Title: USN-4528-1: Ceph vulnerabilities URL: https://ubuntu.com/security/notices/USN-4528-1 Priorities: medium Description: Adam Mohammed discovered that Ceph incorrectly handled certain CORS ExposeHeader tags. A remote attacker could possibly use this issue to preform an HTTP header injection attack. (CVE-2020-10753) Lei Cao discovered that Ceph incorrectly handled certain POST requests with invalid tagging XML. A remote attacker could possibly use this issue… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12059
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1760

Title: USN-4518-1: xawtv vulnerability URL: https://ubuntu.com/security/notices/USN-4518-1 Priorities: low Description: Matthias Gerstner discovered that xawtv incorrectly handled opening files. A local attacker could possibly use this issue to open and write to arbitrary files and escalate privileges. (CVE-2020-13696) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13696

Title: USN-4521-1: pam_tacplus vulnerability URL: https://ubuntu.com/security/notices/USN-4521-1 Priorities: low Description: It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13881

Title: USN-4511-1: QEMU vulnerability URL: https://ubuntu.com/security/notices/USN-4511-1 Priorities: medium Description: Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14364

Title: USN-4503-1: Perl DBI module vulnerability URL: https://ubuntu.com/security/notices/USN-4503-1 Priorities: medium Description: It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14392

Title: USN-4537-1: Aptdaemon vulnerability URL: https://ubuntu.com/security/notices/USN-4537-1 Priorities: medium Description: Vaisha Bernard discovered that Aptdaemon incorrectly handled the Locale property. A local attacker could use this issue to test for the presence of local files. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15703

Title: USN-4519-1: PulseAudio vulnerability URL: https://ubuntu.com/security/notices/USN-4519-1 Priorities: medium Description: Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15710

Title: USN-4501-1: LuaJIT vulnerability URL: https://ubuntu.com/security/notices/USN-4501-1 Priorities: low Description: It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15890

Title: USN-4538-1: PackageKit vulnerabilities URL: https://ubuntu.com/security/notices/USN-4538-1 Priorities: low,medium Description: Vaisha Bernard discovered that PackageKit incorrectly handled certain methods. A local attacker could use this issue to learn the MIME type of any file on the system. (CVE-2020-16121) Sami Niemimäki discovered that PackageKit incorrectly handled local deb packages. A local user could possibly use this issue to install untrusted packages, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16121
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16122

Title: USN-4514-1: libproxy vulnerability URL: https://ubuntu.com/security/notices/USN-4514-1 Priorities: medium Description: It was discovered that libproxy incorrectly handled certain PAC files. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-25219

Title: USN-4508-1: StoreBackup vulnerability URL: https://ubuntu.com/security/notices/USN-4508-1 Priorities: medium Description: It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7040

Title: USN-4515-1: Pure-FTPd vulnerability URL: https://ubuntu.com/security/notices/USN-4515-1 Priorities: low Description: Antonio Norales discovered that Pure-FTPd incorrectly handled directory aliases. An attacker could possibly use this issue to access sensitive information. (CVE-2020-9274) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9274

250.206

Available in VMware Tanzu Network

Release Date: September 09, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4485-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4485-1 Priorities: low,medium,negligible Description: Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2018-20669) It was discovered that the Kvaser CAN/USB driver in the Linux kernel… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10781
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24394

Title: USN-4476-1: NSS vulnerability URL: https://ubuntu.com/security/notices/USN-4476-1 Priorities: medium Description: It was discovered that NSS incorrectly handled some inputs. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12403

Title: USN-4490-1: X.Org X Server vulnerability URL: https://ubuntu.com/security/notices/USN-4490-1 Priorities: medium Description: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14345

Title: USN-4489-1: Linux kernel vulnerability URL: https://ubuntu.com/security/notices/USN-4489-1 Priorities: high Description: Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14386

Title: USN-4482-1: Ark vulnerability URL: https://ubuntu.com/security/notices/USN-4482-1 Priorities: medium Description: Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24654

250.205

Available in VMware Tanzu Network

Release Date: August 27, 2020

Metadata:

BOSH Agent Version: 2.193.8 This release changes the way the Linux Google light stemcell works to reference a source image. It will lead to a decrease in the time it takes to upload the light stemcell. This change will also help mitigate the impact of the new GCP image creation rate limit which any user uploading more than 6 GCP stemcells an hour would hit.

USNs:

Title: USN-4459-1: Salt vulnerabilities URL: https://ubuntu.com/security/notices/USN-4459-1 Priorities: medium Description: It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11652

Title: USN-4467-1: QEMU vulnerabilities URL: https://ubuntu.com/security/notices/USN-4467-1 Priorities: medium,low Description: Ziming Zhang and VictorV discovered that the QEMU SLiRP networking implementation incorrectly handled replying to certain ICMP echo requests. An attacker inside a guest could possibly use this issue to leak host memory to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-10756) Eric Blake and Xueqiang Wei… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10756
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12829
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13253
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13361
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13362
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13754
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15863
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16092

Title: USN-4463-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4463-1 Priorities: low Description: It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771) Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12771
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15393

Title: USN-4469-1: Ghostscript vulnerabilities URL: https://ubuntu.com/security/notices/USN-4469-1 Priorities: medium Description: It was discovered that Ghostscript incorrectly handled certain document files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could use this issue to cause Ghostscript to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16287
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16288
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16289
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16290
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16292
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16293
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16294
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16295
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16296
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16297
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16298
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16299
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16301
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16302
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16303
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16304
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16305
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16306
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16307
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-17538

Title: USN-4466-1: curl vulnerability URL: https://ubuntu.com/security/notices/USN-4466-1 Priorities: low Description: Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8231

Title: USN-4468-1: Bind vulnerabilities URL: https://ubuntu.com/security/notices/USN-4468-1 Priorities: medium,low Description: Emanuel Almeida discovered that Bind incorrectly handled certain TCP payloads. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8620) Joseph Gullo discovered that Bind incorrectly handled QNAME minimization when used in certain… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8621
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8622
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8624

250.204

Available in VMware Tanzu Network

Release Date: August 18, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: negligible,low,medium Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4446-1: Squid vulnerabilities URL: https://ubuntu.com/security/notices/USN-4446-1 Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled caching certain requests. A remote attacker could possibly use this issue to perform cache-injection attacks or gain access to reverse proxy features such as ESI. (CVE-2019-12520) Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly handled certain URN requests. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12520
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12523
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12524
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18676

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4432-1: GRUB 2 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4432-1 Priorities: high,medium Description: Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713) Chris Coulson discovered that the GRUB2 function… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10713
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14308
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14309
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15705
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15706
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15707

Title: USN-4449-1: Apport vulnerabilities URL: https://ubuntu.com/security/notices/USN-4449-1 Priorities: medium Description: Ryota Shiga discovered that Apport incorrectly dropped privileges when making certain D-Bus calls. A local attacker could use this issue to read arbitrary files. (CVE-2020-11936) Seong-Joong Kim discovered that Apport incorrectly parsed configuration files. A local attacker could use this issue to cause Apport to crash, resulting in a denial of… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11936
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15702

Title: USN-4455-1: NSS vulnerabilities URL: https://ubuntu.com/security/notices/USN-4455-1 Priorities: medium Description: It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-12400, CVE-2020-12401, CVE-2020-6829) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6829

Title: USN-4448-1: Tomcat vulnerabilities URL: https://ubuntu.com/security/notices/USN-4448-1 Priorities: medium,low Description: It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause Tomcat to hang, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9484

Title: USN-4454-1: Samba vulnerability URL: https://ubuntu.com/security/notices/USN-4454-1 Priorities: medium Description: Martin von Wittich and Wilko Meyer discovered that Samba incorrectly handled certain empty UDP packets when being used as a AD DC NBT server. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14303

Title: USN-4441-1: MySQL vulnerabilities URL: https://ubuntu.com/security/notices/USN-4441-1 Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.21 in Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.31. In addition to security fixes, the updated packages contain bug fixes, new features, and… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14540
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14550
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14568
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14576
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14597
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14619
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14620
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14623
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14624
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14631
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14632
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14633
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14634
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14643
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14651
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14663
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14678
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14702

Title: USN-4453-1: OpenJDK 8 vulnerabilities URL: https://ubuntu.com/security/notices/USN-4453-1 Priorities: medium Description: Johannes Kuhn discovered that OpenJDK 8 incorrectly handled access control contexts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-14556) Philippe Arteau discovered that OpenJDK 8 incorrectly verified names in TLS server’s X.509 certificates. An attacker could possibly use this issue to obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14556
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14578
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14581
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14621

Title: USN-4443-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4443-1 Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass iframe sandbox restrictions, confuse the user, or execute arbitrary code. (CVE-2020-6463, CVE-2020-6514,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15652
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15653
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15656
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15658
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15659
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6514

Title: USN-4451-1: ppp vulnerability URL: https://ubuntu.com/security/notices/USN-4451-1 Priorities: medium Description: Thomas Chauchefoin working with Trend Micro´s Zero Day Initiative, discovered that ppp incorrectly handled module loading. A local attacker could use this issue to load arbitrary kernel modules and possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15704

Title: USN-4447-1: libssh vulnerability URL: https://ubuntu.com/security/notices/USN-4447-1 Priorities: medium Description: It was discovered that libssh incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16135

250.202

Available in VMware Tanzu Network

Release Date: July 30, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4427-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4427-1 Priorities: low,medium,negligible Description: It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947) Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19947
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10766
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13974

Title: USN-4426-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4426-1 Priorities: medium Description: Jason A. Donenfeld discovered that the ACPI implementation in the Linux kernel did not properly restrict loading SSDT code from an EFI variable. A privileged attacker could use this to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel. (CVE-2019-20908) Fan Yang discovered that the mremap implementation in the Linux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20908
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10757
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11935
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15780

Title: USN-4436-1: librsvg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4436-1 Priorities: low Description: It was discovered that librsvg incorrectly handled parsing certain SVG files. A remote attacker could possibly use this issue to cause librsvg to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11464) It was discovered that librsvg incorrectly handled parsing certain SVG files with nested patterns. A… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-11464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20446

Title: USN-4435-1: ClamAV vulnerabilities URL: https://ubuntu.com/security/notices/USN-4435-1 Priorities: medium Description: It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled scanning malicious files. A local attacker could possibly use this issue to delete arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3327
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3350
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3481

Title: USN-4434-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4434-1 Priorities: medium Description: Ramin Farajpour Cami discovered that LibVNCServer incorrectly handled certain malformed unix socket names. A remote attacker could exploit this with a crafted socket name, leading to a denial of service, or possibly execute arbitrary code. (CVE-2019-20839) It was discovered that LibVNCServer did not properly access byte-aligned data. A remote… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20839
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14397
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14400
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14401
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14402
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14403
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14404
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14405

Title: USN-4431-1: FFmpeg vulnerabilities URL: https://ubuntu.com/security/notices/USN-4431-1 Priorities: low,medium Description: It was discovered that FFmpeg incorrectly verified empty audio packets or HEVC data. An attacker could possibly use this issue to cause a denial of service via a crafted file. This issue only affected Ubuntu 16.04 LTS, as it was already fixed in Ubuntu 18.04 LTS. For more information see: https://usn.ubuntu.com/usn/usn-3967-1 (CVE-2018-15822,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11338
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17539
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17542
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12284
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13904

Title: USN-4428-1: Python vulnerabilities URL: https://ubuntu.com/security/notices/USN-4428-1 Priorities: low,medium Description: It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this information. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-17514) It was discovered that Python incorrectly handled certain TAR… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17514
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9674
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14422

Title: USN-4424-1: snapd vulnerabilities URL: https://ubuntu.com/security/notices/USN-4424-1 Priorities: medium Description: It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11933
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11934

Title: USN-4421-1: Thunderbird vulnerabilities URL: https://ubuntu.com/security/notices/USN-4421-1 Priorities: medium Description: Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbtirary code. (CVE-2020-12405, CVE-2020-12406, CVE-2020-12410, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12398
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12405
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12406
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12410
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421

Title: USN-4419-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4419-1 Priorities: low,medium Description: It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690) Matthew Sheets discovered that the SELinux… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4414-1: Linux kernel vulnerabilities URL: https://ubuntu.com/security/notices/USN-4414-1 Priorities: low,medium,negligible Description: It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089) It was discovered that the btrfs file system implementation in the Linux kernel did not properly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12380
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16089
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19036
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19039
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19318
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19377
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19816
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10711
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12770
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13143

Title: USN-4416-1: GNU C Library vulnerabilities URL: https://ubuntu.com/security/notices/USN-4416-1 Priorities: low,medium Description: Florian Weimer discovered that the GNU C Library incorrectly handled certain memory operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12133) It was discovered that the GNU C Library… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12133
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18269
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11236
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-11237
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19591
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6485
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19126
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10029
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1752

Title: USN-4415-1: coTURN vulnerabilities URL: https://ubuntu.com/security/notices/USN-4415-1 Priorities: medium Description: Felix Dörre discovered that coTURN response buffer is not initialized properly. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-4067) It was discovered that coTURN web server incorrectly handled HTTP POST requests. An attacker could possibly use this issue to cause a denial of service, obtain sensitive… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-4067
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6061
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6062

Title: USN-4408-1: Firefox vulnerabilities URL: https://ubuntu.com/security/notices/USN-4408-1 Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12415
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12416
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12417
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12418
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12419
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12420
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12421
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12422
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12424
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12425
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12426

Title: USN-4409-1: Samba vulnerabilities URL: https://ubuntu.com/security/notices/USN-4409-1 Priorities: medium Description: Andrew Bartlett discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10730) Douglas Bagnall discovered that Samba… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10730
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10745
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10760

Title: USN-4407-1: LibVNCServer vulnerabilities URL: https://ubuntu.com/security/notices/USN-4407-1 Priorities: low,medium Description: It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680) It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15680
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15681
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15690
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20788

Title: USN-4403-1: Mutt vulnerability and regression URL: https://ubuntu.com/security/notices/USN-4403-1 Priorities: medium Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14954) This update also address a regression caused in the last update USN-4401-1. It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14954

Title: USN-4402-1: curl vulnerabilities URL: https://ubuntu.com/security/notices/USN-4402-1 Priorities: medium Description: Marek Szlagor, Gregory Jefferis and Jeroen Ooms discovered that curl incorrectly handled certain credentials. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-8169) It was discovered that curl incorrectly handled certain parameters. An attacker could… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8169
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8177

250.201

Available in VMware Tanzu Network

Release Date: July 20, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4397-1: NSS vulnerabilities URL: https://usn.ubuntu.com/4397-1/ Priorities: low,medium Description: It was discovered that NSS incorrectly handled the TLS State Machine. A remote attacker could possibly use this issue to cause NSS to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-17023) Cesar Pereida Garcia discovered that NSS incorrectly handled DSA key generation. A local attacker… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17023
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12399

Title: USN-4400-1: nfs-utils vulnerability URL: https://usn.ubuntu.com/4400-1/ Priorities: low Description: It was discovered that the nfs-utils package set incorrect permissions on the /var/lib/nfs directory. An attacker could possibly use this issue to escalate privileges. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3689

Title: USN-4396-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4396-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-0093, CVE-2020-0182) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a remote denial of service. (CVE-2020-0198) It was… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0182
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13112
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13114

Title: USN-4395-1: fwupd vulnerability URL: https://usn.ubuntu.com/4395-1/ Priorities: medium Description: Justin Steven discovered that fwupd incorrectly handled certain signature verification. An attacker could possibly use this issue to install an unsigned firmware. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10759

Title: USN-4398-1: DBus vulnerability URL: https://usn.ubuntu.com/4398-1/ Priorities: medium Description: Kevin Backhouse discovered that DBus incorrectly handled file descriptors. A local attacker could possibly use this issue to cause DBus to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12049

Title: USN-4401-1: Mutt vulnerabilities URL: https://usn.ubuntu.com/4401-1/ Priorities: medium,low Description: It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14093) It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to proceeds with a connection even if the user rejects an expired intermediate… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14093
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-14154

250.200

Available in VMware Tanzu Network

Release Date: June 17, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4385-1: Intel Microcode vulnerabilities URL: https://usn.ubuntu.com/4385-1/ Priorities: medium Description: It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information…. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0548
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0549

Title: LSN-0068-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0068-1/ Priorities: medium Description: Several security issues were fixed in the kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0543
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12114

Title: USN-4386-1: libjpeg-turbo vulnerability URL: https://usn.ubuntu.com/4386-1/ Priorities: medium Description: It was discovered that libjpeg-turbo incorrectly handled certain PPM files. An attacker could possibly use this issue to access sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13790

250.199

Available in VMware Tanzu Network

Release Date: June 09, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4358-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4358-1/ Priorities: low,medium Description: It was discovered that libexif incorrectly handled certain tags. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20030) It was discovered that libexif incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash. (CVE-2020-12767) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20030
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12767

Title: USN-4351-1: Linux firmware vulnerability URL: https://usn.ubuntu.com/4351-1/ Priorities: medium Description: Eli Biham and Lior Neumann discovered that certain Bluetooth devices incorrectly validated key exchange parameters. An attacker could possibly use this issue to obtain sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-5383

Title: USN-4364-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4364-1/ Priorities: low,medium Description: It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060) It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19060
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11494
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11565
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668

Title: USN-4354-1: Mailman vulnerability URL: https://usn.ubuntu.com/4354-1/ Priorities: medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12108

Title: USN-4352-1: OpenLDAP vulnerability URL: https://usn.ubuntu.com/4352-1/ Priorities: medium Description: It was discovered that OpenLDAP incorrectly handled certain queries. A remote attacker could possibly use this issue to cause OpenLDAP to consume resources, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12243

Title: USN-4353-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4353-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, spoof the URL bar, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391, CVE-2020-12394,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12387
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12390
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12391
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12392
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12394
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12395
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12396
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6831

Title: USN-4360-1: json-c vulnerability URL: https://usn.ubuntu.com/4360-1/ Priorities: medium Description: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12762

Title: USN-4350-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4350-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.80 in Ubuntu 19.10 and Ubuntu 20.04 LTS. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.30. In addition to security fixes, the updated packages contain bug fixes,… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2765
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2780
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2804
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2892
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2893
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2895
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2896
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2897
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2898
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2901
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2903
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2904
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2921
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2922
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2928
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2930

Title: USN-4359-1: APT vulnerability URL: https://usn.ubuntu.com/4359-1/ Priorities: medium Description: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3810

Title: USN-4365-1: Bind vulnerabilities URL: https://usn.ubuntu.com/4365-1/ Priorities: medium Description: Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616) Tobias Klein discovered that Bind incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8616
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8617

Title: LSN-0066-1: Kernel Live Patch Security Notice URL: https://usn.ubuntu.com/lsn/0066-1/ Priorities: medium Description: Several security issues were fixed in the Linux kernel. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8647
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8649

250.198

Available in VMware Tanzu Network

Release Date: May 12, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4339-1: OpenEXR vulnerabilities URL: https://usn.ubuntu.com/4339-1/ Priorities: low,medium Description: Brandon Perry discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 20.04 LTS. (CVE-2017-9111, CVE-2017-9113, CVE-2017-9115) Tan Jie… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9111
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9113
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-9115
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18444
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11758
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11759
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11760
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11761
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11762
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11763
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11764
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11765

Title: USN-4348-1: Mailman vulnerabilities URL: https://usn.ubuntu.com/4348-1/ Priorities: low,medium Description: It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this to issue execute arbitrary scripts or HTML. (CVE-2018-0618) It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to display arbitrary text on a web page. (CVE-2018-13796) It was discovered… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0618
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-12137

Title: USN-4349-1: EDK II vulnerabilities URL: https://usn.ubuntu.com/4349-1/ Priorities: medium,low Description: A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12178
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12180
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12181
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14558
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14559
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14563
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14575
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14586
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14587

Title: USN-4346-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4346-1/ Priorities: low,medium Description: It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16233
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4345-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4345-1/ Priorities: low,medium,high Description: Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884) It was discovered that the Intel Wi-Fi driver in the Linux kernel did… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16234
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19768
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11608
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11609
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11668
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11884
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8648
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9383

Title: USN-4340-1: CUPS vulnerabilities URL: https://usn.ubuntu.com/4340-1/ Priorities: low,medium Description: It was discovered that CUPS incorrectly handled certain language values. A local attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or possibly obtain sensitive information. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-2228) Stephan Zeisberg discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-2228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3898

Title: USN-4341-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4341-1/ Priorities: medium Description: Andrei Popa discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10700) It was discovered that Samba incorrectly handled certain LDAP… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10704

250.196

Available in VMware Tanzu Network

Release Date: April 23, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4326-1: libiberty vulnerabilities URL: https://usn.ubuntu.com/4326-1/ Priorities: low,medium Description: It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12641
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12697
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12698
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12934
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17794
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17985
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18483
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18484
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18700
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18701
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9138
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14250
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9070
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9071

Title: USN-4333-1: Python vulnerabilities URL: https://usn.ubuntu.com/4333-1/ Priorities: medium,low Description: It was discovered that Python incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-18348) It was discovered that Python incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-8492) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18348
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8492

Title: USN-4334-1: Git vulnerability URL: https://usn.ubuntu.com/4334-1/ Priorities: medium Description: Carlo Arenas discovered that Git incorrectly handled certain URLs containing newlines, empty hosts, or lacking a scheme. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11008

Title: USN-4332-1: File Roller vulnerability URL: https://usn.ubuntu.com/4332-1/ Priorities: medium Description: It was discovered that File Roller incorrectly handled symlinks. An attacker could possibly use this issue to expose sensitive information. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-11736

Title: USN-4329-1: Git vulnerability URL: https://usn.ubuntu.com/4329-1/ Priorities: medium Description: Felix Wilhelm discovered that Git incorrectly handled certain URLs that included newlines. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5260

Title: USN-4323-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4323-1/ Priorities: medium Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822, CVE-2020-6824, CVE-2020-6825, CVE-2020-6826) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6821
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6822
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6823
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6824
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6825
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6826

Title: USN-4330-1: PHP vulnerabilities URL: https://usn.ubuntu.com/4330-1/ Priorities: low,medium Description: It was discovered that PHP incorrectly handled certain file uploads. An attacker could possibly use this issue to cause a crash. (CVE-2020-7062) It was discovered that PHP incorrectly handled certain PHAR archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2020-7063) It was discovered that PHP… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7064
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7065
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7066

Title: USN-4320-1: Linux kernel vulnerability URL: https://usn.ubuntu.com/4320-1/ Priorities: medium Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428

Title: USN-4318-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4318-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Gustavo Romero and Paul Mackerras discovered that the KVM implementation in the Linux kernel for… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8834
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

Title: USN-4324-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4324-1/ Priorities: medium,low Description: Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428) Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8428
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8992

250.190

Available in VMware Tanzu Network

Release Date: April 06, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4311-1: BlueZ vulnerabilities URL: https://usn.ubuntu.com/4311-1/ Priorities: low,medium Description: It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556) It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-7837
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0556

Title: USN-4316-1: GD Graphics Library vulnerabilities URL: https://usn.ubuntu.com/4316-1/ Priorities: low Description: It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553) It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14553
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11038

Title: USN-4314-1: pam-krb5 vulnerability URL: https://usn.ubuntu.com/4314-1/ Priorities: medium Description: Russ Allbery discovered that pam-krb5 incorrectly handled some responses. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10595

Title: USN-4317-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4317-1/ Priorities: high Description: Two use-after-free bugs were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit these to cause a denial of service or execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6819
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6820

Title: USN-4315-1: Apport vulnerabilities URL: https://usn.ubuntu.com/4315-1/ Priorities: high,medium Description: Maximilien Bourgeteau discovered that the Apport lock file was created with insecure permissions. This could allow a local attacker to escalate their privileges via a symlink attack. (CVE-2020-8831) Maximilien Bourgeteau discovered a race condition in Apport when setting crash report permissions. This could allow a local attacker to… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8831
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8833

250.189

Available in VMware Tanzu Network

Release Date: March 24, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4298-1: SQLite vulnerabilities URL: https://usn.ubuntu.com/4298-1/ Priorities: medium,low Description: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-13734, CVE-2019-13750, CVE-2019-13753) It was discovered that SQLite incorrectly handled certain corrupt records. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13734
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13750
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13751
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13752
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-13753
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19923
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19924
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19925
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19926
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19959
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20218
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9327

Title: USN-4302-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4302-1/ Priorities: negligible,low,medium Description: Paulo Bonzini discovered that the KVM hypervisor implementation in the Linux kernel could improperly let a nested (level 2) guest access the resources of a parent (level 1) guest in certain situations. An attacker could use this to expose sensitive information. (CVE-2020-2732) Gregory Herrero discovered that the fix for CVE-2019-14615 to address… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19046
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19058
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19066
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8832

Title: USN-4299-1: Firefox vulnerabilities URL: https://usn.ubuntu.com/4299-1/ Priorities: medium,low Description: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the URL or other browser chrome, obtain sensitive information, bypass Content Security Policy (CSP) protections, or execute arbitrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6805
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6806
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6807
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6811
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6812
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6813
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6814
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6815

Title: USN-4305-1: ICU vulnerability URL: https://usn.ubuntu.com/4305-1/ Priorities: medium Description: André Bargull discovered that ICU incorrectly handled certain strings. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10531

Title: USN-4296-1: Django vulnerability URL: https://usn.ubuntu.com/4296-1/ Priorities: medium Description: Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform an SQL injection attack. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9402

250.185

Available in VMware Tanzu Network

Release Date: March 03, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4279-2: PHP regression URL: https://usn.ubuntu.com/4279-2/ Priorities: low Description: USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9253

Title: USN-4290-1: libpam-radius-auth vulnerability URL: https://usn.ubuntu.com/4290-1/ Priorities: medium Description: It was discovered that libpam-radius-auth incorrectly handled certain long passwords. A remote attacker could possibly use this issue to cause libpam-radius-auth to crash, resulting in a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9542

Title: USN-4292-1: rsync vulnerabilities URL: https://usn.ubuntu.com/4292-1/ Priorities: low Description: It was discovered that rsync incorrectly handled pointer arithmetic in zlib. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that rsync incorrectly handled vectors involving left shifts of negative integers in zlib. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4289-1: Squid vulnerabilities URL: https://usn.ubuntu.com/4289-1/ Priorities: medium Description: Jeriko One discovered that Squid incorrectly handled memory when connected to an FTP server. A remote attacker could possibly use this issue to obtain sensitive information from Squid memory. (CVE-2019-12528) Regis Leroy discovered that Squid incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to access… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-12528
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8449
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8450
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8517

Title: USN-4287-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4287-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15099
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16232
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18786
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18809
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19071
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19078
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19082
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19767
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4286-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4286-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15217
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17351
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19051
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19056
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19066
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19068
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19965
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20096
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5108

Title: USN-4293-1: libarchive vulnerabilities URL: https://usn.ubuntu.com/4293-1/ Priorities: low,medium Description: It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-19221) It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a crash resulting in a denial of service or… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19221
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-9308

Title: USN-4278-2: Firefox vulnerabilities URL: https://usn.ubuntu.com/4278-2/ Priorities: medium Description: USN-4278-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6796
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6798
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6800
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-6801

Title: USN-4288-1: ppp vulnerability URL: https://usn.ubuntu.com/4288-1/ Priorities: medium Description: It was discovered that ppp incorrectly handled certain rhostname values. A remote attacker could use this issue to cause ppp to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-8597

250.183

Available in VMware Tanzu Network

Release Date: February 18, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4277-1: libexif vulnerabilities URL: https://usn.ubuntu.com/4277-1/ Priorities: low,medium Description: Liu Bingchang discovered that libexif incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2016-6328) Lili Xu and Bingchang Liu discovered that libexif incorrectly handled… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6328
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-7544
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9278

Title: USN-4275-1: Qt vulnerabilities URL: https://usn.ubuntu.com/4275-1/ Priorities: low,medium Description: It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19872) It was discovered that Qt incorrectly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19872
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18281
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0569
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-0570

Title: USN-4272-1: Pillow vulnerabilities URL: https://usn.ubuntu.com/4272-1/ Priorities: low,medium Description: It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-16865, CVE-2019-19911) It was discovered that Pillow incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-5312) It was discovered that… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-16865
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19911
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5310
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5311
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5312
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5313

Title: USN-4273-1: ReportLab vulnerability URL: https://usn.ubuntu.com/4273-1/ Priorities: medium Description: It was discovered that ReportLab incorrectly handled certain XML documents. If a user or automated system were tricked into processing a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17626

Title: USN-4274-1: libxml2 vulnerabilities URL: https://usn.ubuntu.com/4274-1/ Priorities: low,medium Description: It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-19956, CVE-2020-7595) CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19956
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7595

250.181

Available in VMware Tanzu Network

Release Date: February 06, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4246-1: zlib vulnerabilities URL: https://usn.ubuntu.com/4246-1/ Priorities: low Description: It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9840
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9841
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9842
- https://people.canonical.com/~ubuntu-security/cve/CVE-2016-9843

Title: USN-4259-1: Apache Solr vulnerability URL: https://usn.ubuntu.com/4259-1/ Priorities: high Description: Michael Stepankin and Olga Barinova discovered that Apache Solr was vulnerable to an XXE attack. An attacker could use this vulnerability to remotely execute code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-12629

Title: USN-4248-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4248-1/ Priorities: medium Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16545
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16547
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16669
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17500
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17501
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17502
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17503
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17782
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17783

Title: USN-4252-1: tcpdump vulnerabilities URL: https://usn.ubuntu.com/4252-1/ Priorities: low,medium Description: Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16808
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10103
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10105
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14461
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14462
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14463
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14464
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14465
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14466
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14467
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14468
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14469
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14470
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14879
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14880
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14881
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14882
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16228
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16229
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16230
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16300
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16451
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16452
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19519
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1010220
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15166
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15167

Title: USN-4267-1: ARM mbed TLS vulnerabilities URL: https://usn.ubuntu.com/4267-1/ Priorities: medium,high Description: It was discovered that mbedtls has a bounds-check bypass through an integer overflow that can be used by an attacked to execute arbitrary code or cause a denial of service. (CVE-2017-18187) It was discovered that mbedtls has a vulnerability where an attacker could execute arbitrary code or cause a denial of service (buffer overflow) via a crafted… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2017-18187
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0487
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0488
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0497
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-0498

Title: USN-4254-1: Linux kernel vulnerabilities URL: https://usn.ubuntu.com/4254-1/ Priorities: medium,negligible,low Description: It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615) It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15291
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18683
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18885
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19057
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19062
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19063
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19227
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19332

Title: USN-4255-2: Linux kernel (HWE) vulnerabilities URL: https://usn.ubuntu.com/4255-2/ Priorities: medium Description: USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14615
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-7053

Title: USN-4244-1: Samba vulnerabilities URL: https://usn.ubuntu.com/4244-1/ Priorities: low,medium Description: It was discovered that Samba did not automatically replicate ACLs set to inherit down a subtree on AD Directory, contrary to expectations. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-14902) Robert Święcki discovered that Samba incorrectly handled certain character conversions when the log level is… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14902
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-14907
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19344

Title: USN-4247-1: python-apt vulnerabilities URL: https://usn.ubuntu.com/4247-1/ Priorities: medium Description: It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795) It was discovered that python-apt could install packages from untrusted repositories, contrary… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15795
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-15796

Title: USN-4263-1: Sudo vulnerability URL: https://usn.ubuntu.com/4263-1/ Priorities: low Description: Joe Vennix discovered that Sudo incorrectly handled memory operations when the pwfeedback option is enabled. A local attacker could possibly use this issue to obtain unintended access to the administrator account. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18634

Title: USN-4256-1: Cyrus SASL vulnerability URL: https://usn.ubuntu.com/4256-1/ Priorities: medium Description: It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19906

Title: USN-4249-1: e2fsprogs vulnerability URL: https://usn.ubuntu.com/4249-1/ Priorities: medium Description: It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5188

Title: USN-4265-1: SpamAssassin vulnerabilities URL: https://usn.ubuntu.com/4265-1/ Priorities: medium Description: It was discovered that SpamAssassin incorrectly handled certain CF files. If a user or automated system were tricked into using a specially-crafted CF file, a remote attacker could possibly run arbitrary code. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1930
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1931

Title: USN-4250-1: MySQL vulnerabilities URL: https://usn.ubuntu.com/4250-1/ Priorities: medium Description: Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2570
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2572
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2573
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2574
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2577
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2579
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2584
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2588
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2589
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2627
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2660
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2679
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2686
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2694

Title: USN-4257-1: OpenJDK vulnerabilities URL: https://usn.ubuntu.com/4257-1/ Priorities: low,medium Description: It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An… CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2583
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2590
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2593
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2601
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2604
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2654
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2655
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-2659

Title: USN-4245-1: PySAML2 vulnerability URL: https://usn.ubuntu.com/4245-1/ Priorities: medium Description: It was discovered that PySAML2 incorrectly handled certain SAML files. An attacker could possibly use this issue to bypass signature verification with arbitrary data. CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-5390

250.178

Available in VMware Tanzu Network

Release Date: January 21, 2020

Metadata:

BOSH Agent Version: 2.193.8

USNs:

Title: USN-4232-1: GraphicsMagick vulnerabilities URL: https://usn.ubuntu.com/4232-1/ Priorities: medium,low Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. CVEs:
-