USN-4784-1: Xerces-C++ vulnerabilities

It was discovered that Xerces-C++ XML Parser mishandles certain kinds of external DTD references, resulting in a user-after-free. An attacker could use this vulnerability to cause a denial of service crash or possibly execute arbitrary code. This issue affected only Ubuntu 16.04 ESM. CVE-2016-209...

USN-4783-1: minimatch vulnerability

It was discovered that minimatch did not perform necessary bounds checking on regular expressions. An attacker could use this vulnerability to cause a denial of service...

USN-4779-1: Gettext vulnerability

Danilo Segan discovered that Gettext mishandled certain input. An attacker could use this vulnerability to execute arbitrary code...

USN-4778-1: OCaml vulnerabilities

It was discovered that OCaml mishandled sign extensions. A remote attacker could use this vulnerability to steal sensitive information, cause a denial of service crash, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. CVE-2015-8869 It was discovered that OCaml...

USN-4777-1: node-tar vulnerability

It was discovered that node-tar mishandled certain tar archives. An attacker could use this vulnerability to write arbitrary files to the filesystem...

USN-4776-1: semver vulnerability

It was discovered that semver incorrectly handled certain inputs. A remote attacker could possibly use this issue to cause a denial of service...

USN-4775-1: Lighttpd vulnerabilities

It was discovered that Lighttpd did not properly sanitized the string used in basic HTTP authentication method. A remote attacker could use this to inject arbitrary log entries and maybe obtain sensitive information. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. CVE-2015-3200 It...

USN-4773-1: Drupal vulnerabilities

It was discovered that Drupal did not properly process certain input. An attacker could use this vulnerability to execute arbitrary code or completely compromise a Drupal site. CVE-2018-7600, CVE-2018-7602 It was discovered that password reset URLs in Drupal could be forged. An attacker could use...

USN-4772-1: VNC4 vulnerabilities

USN-2500-1 addressed CVE-2015-0255 for xorg-server. This update provides the corresponding fix for VNC4 on Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. CVE-2015-0255 USN-2726-1 addressed CVE-2015-1283 for Expat. This update provides the corresponding fix for VNC4 on Ubuntu 14.04 ESM and Ubuntu 16.04 ES...

USN-4771-1: HTCondor vulnerabilities

It was discovered that HTCondor incorrectly invoked the mailx utility. An attacker could use this vulnerability to execute arbitrary commands. This issue only affected Ubuntu 14.04 ESM. CVE-2014-8126 It was discovered that HTCondor mishandled certain crafted input. An attacker could use this...

USN-4770-1: GlusterFS vulnerabilities

It was discovered that GlusterFS incorrectly handled network requests. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM. CVE-2014-3619 It was discovered that GlusterFS incorrectly handled user permissions. An authenticated attacker...

USN-4769-1: Salt vulnerabilities

It was discovered that Salt allowed remote attackers to write to arbitrary files via a special crafted file. An attacker could use this vulnerability to cause a DoS or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM. CVE-2014-3563 Andreas Stieger discovered that Salt...

USN-4768-1: musl vulnerabilities

It was discovered that musl did not properly handle kernel syscalls. An attacker could use this vulnerability to cause a denial of service crash or possibly execute arbitrary code. CVE-2018-1000001 It was discovered that musl did not properly handle the parsing of DNS response codes. A remote...

USN-4766-1: Apache Commons BeanUtils vulnerabilities

It was discovered that Apache Commons BeanUtils improperly handled certain input. An attacker could possibly use this vulnerability to cause a crash or execute arbitrary code...

USN-4765-1: The Sleuth Kit vulnerabilities

It was discovered that The Sleuth Kit did not properly handle certain entires in FAT file systems. An attacker could use this vulnerability to mislead an analyst and obscure their activities. This issue only affected Ubuntu 14.04 ESM. CVE-2012-5619 It was discovered that The Sleuth Kit mishandled...

USN-4764-1: GLib vulnerability

It was discovered that GLib incorrectly handled certain symlinks when replacing files. If a user or automated system were tricked into extracting a specially crafted file with File Roller, a remote attacker could possibly create files outside of the intended directory...

USN-4754-3: Python vulnerabilities

USN-4754-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 18.04 and Ubuntu 20.04. In the case of Python 2.7 for 20.04, these additional fixes are included: It was dicovered that Python allowed remote attackers to cause a denial of service resource...

USN-4763-1: Pillow vulnerabilities

It was discovered that Pillow incorrectly handled certain Tiff image files. If a user or automated system were tricked into opening a specially-crafted Tiff file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only...

USN-4762-1: OpenSSH vulnerability

It was discovered that the OpenSSH ssh-agent incorrectly handled memory. A remote attacker able to connect to the agent could use this issue to cause it to crash, resulting in a denial of service, or possibly execute arbitrary code...

USN-4761-1: Git vulnerability

Matheus Tavares discovered that Git incorrectly handled delay-capable clean/smudge filters when being used on case-insensitive filesystems. A remote attacker could possibly use this issue to execute arbitrary code...

USN-4758-1: Go vulnerability

It was discovered that Go applications incorrectly handled uploaded content. If a user were tricked into visiting a malicious page, a remote attacker could exploit this with a crafted file to conduct cross-site scripting XSS attacks...

USN-4760-1: libzstd vulnerabilities

It was discovered that libzstd incorrectly handled file permissions. A local attacker could possibly use this issue to access certain files, contrary to expectations...

USN-4759-1: GLib vulnerabilities

Krzesimir Nowak discovered that GLib incorrectly handled certain large buffers. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. CVE-2021-27218 Kevin Backhouse discovered that GLib incorrect...

USN-4733-2: GNOME Autoar regression

USN-4733-1 fixed a vulnerability in GNOME Autoar. The upstream fix introduced a regression when extracting archives containing directories. This update fixes the problem. Original advisory details: Yiğit Can Yılmaz discovered that GNOME Autoar could extract files outside of the intended directory...

USN-4757-2: wpa_supplicant and hostapd vulnerability

USN-4757-1 fixed a vulnerability in wpasupplicant and hostapd. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that wpasupplicant did not properly handle P2P Wi-Fi Direct provision discovery requests in some situations. A physically...

USN-4757-1: wpa_supplicant and hostapd vulnerability

It was discovered that wpasupplicant did not properly handle P2P Wi-Fi Direct provision discovery requests in some situations. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code...

USN-4754-4: Python 2.7 vulnerability

USN-4754-1 fixed vulnerabilities in Python. Because of a regression, a subsequent update removed the fix for CVE-2021-3177. This update reinstates the security fix for CVE-2021-3177. We apologize for the inconvenience. Original advisory details: It was discovered that Python incorrectly handled...

USN-4737-2: Bind vulnerability

USN-4737-1 fixed a vulnerability in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that Bind incorrectly handled GSSAPI security policy negotiation. A remote attacker could use this issue to cause Bind to...

USN-4756-1: Firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, conduct cross-site scripting XSS attacks, bypass HTTP auth phishing warning...

USN-4754-2: Python regression

USN-4754-1 fixed a vulnerability in Python. The fix for CVE-2021-3177 introduced a regression in Python 2.7. This update reverts the security fix pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that Python incorrectly handled certain...

USN-4755-1: LibTIFF vulnerabilities

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges...

USN-4754-1: Python vulnerabilities

It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. CVE-2020-27619, CVE-2021-3177...

USN-4749-1: Linux kernel vulnerabilities

Bodong Zhao discovered a use-after-free in the Sun keyboard driver implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. CVE-2020-25669 It was discovered that the jfs file system implementation in the Linux kernel...

USN-4753-1: Linux kernel (OEM) vulnerability

It was discovered that the LIO SCSI target implementation in the Linux kernel performed insufficient identifier checking in certain XCOPY requests. An attacker with access to at least one LUN in a multiple backstore environment could use this to expose sensitive information or modify data...

USN-4752-1: Linux kernel (OEM) vulnerabilities

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered that legacy pairing and secure-connections pairing authentication in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. A physically proxima...

USN-4751-1: Linux kernel vulnerabilities

It was discovered that the console keyboard driver in the Linux kernel contained a race condition. A local attacker could use this to expose sensitive information kernel memory. CVE-2020-25656 Minh Yuan discovered that the tty driver in the Linux kernel contained race conditions when handling...

USN-4750-1: Linux kernel vulnerabilities

Bodong Zhao discovered a use-after-free in the Sun keyboard driver implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. CVE-2020-25669 It was discovered that the jfs file system implementation in the Linux kernel...

USN-4748-1: Linux kernel vulnerabilities

It was discovered that the jfs file system implementation in the Linux kernel contained an out-of-bounds read vulnerability. A local attacker could use this to possibly cause a denial of service system crash. CVE-2020-27815 It was discovered that the memory management subsystem in the Linux kerne...

USN-4747-2: GNU Screen vulnerability

USN-4747-1 fixed a vulnerability in screen. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Felix Weinmann discovered that GNU Screen incorrectly handled certain character sequences. A remote attacker could use this issue to cause GNU Screen to crash...

USN-4747-1: GNU Screen vulnerability

Felix Weinmann discovered that GNU Screen incorrectly handled certain character sequences. A remote attacker could use this issue to cause GNU Screen to crash, resulting in a denial of service, or possibly execute arbitrary code...

USN-4746-1: xterm vulnerability

Tavis Ormandy discovered that xterm incorrectly handled certain character sequences. A remote attacker could use this issue to cause xterm to crash, resulting in a denial of service, or possibly execute arbitrary code...

USN-4698-2: Dnsmasq regression

USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced regressions in certain environments related to issues with multiple queries, and issues with retries. This update fixes the problem. Original advisory details: Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly...

USN-4745-1: OpenSSL vulnerabilities

David Benjamin discovered that OpenSSL incorrectly handled comparing certificates containing a EDIPartyName name type. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. CVE-2020-1971 Tavis Ormandy discovered that OpenSSL incorrectly handl...

USN-4467-3: QEMU regression

USN-4467-1 fixed vulnerabilities in QEMU. The fix for CVE-2020-13754 introduced a regression in certain environments. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Ren Ding, Hanqing Zhao, Alexander Bulekov, and Anatoly Trosinenko discovered that the...

USN-4744-1: OpenLDAP vulnerability

Pasi Saarinen discovered that OpenLDAP incorrectly handled certain short timestamps. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service...

USN-4743-1: GDK-PixBuf vulnerability

It was discovered that the GDK-PixBuf library did not properly handle certain GIF images. If an user or automated system were tricked into opening a specially crafted GIF file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service...

USN-4742-1: Django vulnerability

It was discovered that Django incorrectly accepted semicolons as query parameters. A remote attacker could possibly use this issue to perform a Web Cache Poisoning attack...

USN-4741-1: Jackson vulnerabilities

It was discovered that Jackson Databind incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code...

USN-4740-1: Apache Shiro vulnerabilities

It was discovered that Apache Shiro mishandled specially crafted requests. An attacker could use this vulnerability to bypass authentication mechanisms...

USN-4739-1: WebKitGTK vulnerability

A large number of security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service...