These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please file a bug, or contact security@ubuntu.com. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.
You can also view the latest notices by subscribing to the RSS 
or the Atom feeds.
USN-1448-1: Linux kernel vulnerabilities - 21st May 2012
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase ...
USN-1447-1: libxml2 vulnerability - 21st May 2012
Juri Aedla discovered that libxml2 contained an off by one error in its XPointer functionality. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the ...
USN-1446-1: Linux kernel (OMAP4) vulnerabilities - 17th May 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw ...
CVE-2011-4086 CVE-2012-1090 CVE-2012-1097 CVE-2012-1146 CVE-2012-1179
USN-1445-1: Linux kernel vulnerabilities - 17th May 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user ...
CVE-2011-4086 CVE-2012-1601 CVE-2012-2123
USN-1444-1: BackupPC vulnerability - 17th May 2012
It was discovered that BackupPC did not properly sanitize its input when processing RestoreFile error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the ...
USN-1442-1: Sudo vulnerability - 16th May 2012
It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access ...
USN-1441-1: Quagga vulnerabilities - 15th May 2012
It was discovered that Quagga incorrectly handled Link State Update messages with invalid lengths. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2012-0249, CVE-2012-0250) It was discovered that Quagga incorrectly handled messages with a malformed Four-octet AS Number Capability. A ...
CVE-2012-0249 CVE-2012-0250 CVE-2012-0255
USN-1440-1: Linux kernel (Natty backport) vulnerabilities - 8th May 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the ...
CVE-2011-4086 CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097 CVE-2012-1146 CVE-2012-2100
USN-1432-1: Linux kernel vulnerabilities - 8th May 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw ...
CVE-2011-4086 CVE-2012-1090 CVE-2012-2100
USN-1439-1: Horizon vulnerabilities - 7th May 2012
Matthias Weckbecker discovered a cross-site scripting (XSS) vulnerability in Horizon via the log viewer refrash mechanism. If a user were tricked into viewing a specially crafted log message, a remote attacker could exploit this to modify the contents or steal confidential data within the same domain. (CVE-2012-2094) Thomas Biege discovered ...
USN-1437-1: PHP vulnerability - 4th May 2012
It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were ...
USN-1430-3: Thunderbird vulnerabilities - 4th May 2012
USN-1430-1 fixed vulnerabilities in Firefox. This update provides the corresponding fixes for Thunderbird. Original advisory details: Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli Pettay discovered memory safety issues affecting Firefox. If the user were tricked into opening ...
CVE-2011-1187 CVE-2011-3062 CVE-2012-0467 CVE-2012-0468 CVE-2012-0469 CVE-2012-0470 CVE-2012-0471 CVE-2012-0473 CVE-2012-0474 CVE-2012-0475 CVE-2012-0477 CVE-2012-0478 CVE-2012-0479 LP: 987305
USN-1438-1: Nova vulnerability - 3rd May 2012
Dan Prince discovered that Nova did not enforce quotas for security groups and rules added to security groups. An authenticated user could exploit this to cause a denial of service.
USN-1436-1: Libtasn1 vulnerability - 2nd May 2012
Matthew Hall discovered that Libtasn1 incorrectly handled certain large values. An attacker could exploit this with a specially crafted ASN.1 structure and cause a denial of service, or possibly execute arbitrary code.
USN-1435-1: ImageMagick vulnerabilities - 1st May 2012
Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick incorrectly handled certain ResolutionUnit tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user ...
CVE-2012-0247 CVE-2012-0248 CVE-2012-0259 CVE-2012-1185 CVE-2012-1186 CVE-2012-1610 CVE-2012-1798
USN-1434-1: Samba vulnerability - 1st May 2012
Ivano Cristofolini discovered that Samba incorrectly handled some Local Security Authority (LSA) remote procedure calls (RPC). A remote, authenticated attacker could exploit this to grant administrative privileges to arbitrary users. The administrative privileges could be used to bypass permission checks performed by the Samba server.
USN-1433-1: Linux kernel (Oneiric backport) vulnerabilities - 1st May 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the ...
CVE-2011-4086 CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097 CVE-2012-1146 CVE-2012-1179
USN-1431-1: Linux kernel vulnerabilities - 30th April 2012
A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the ...
CVE-2011-4086 CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097 CVE-2012-1146 CVE-2012-1179
USN-1430-2: ubufox update - 27th April 2012
USN-1430-1 fixed vulnerabilities in Firefox. This update provides an updated ubufox package for use with the latest Firefox. Original advisory details: Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli Pettay discovered memory safety issues affecting Firefox. If the ...
USN-1430-1: Firefox vulnerabilities - 27th April 2012
Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli Pettay discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via ...
CVE-2011-1187 CVE-2011-3062 CVE-2012-0467 CVE-2012-0468 CVE-2012-0469 CVE-2012-0470 CVE-2012-0471 CVE-2012-0473 CVE-2012-0474 CVE-2012-0475 CVE-2012-0477 CVE-2012-0478 CVE-2012-0479 LP: 987262
USN-1429-1: Jetty vulnerability - 26th April 2012
It was discovered that Jetty computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. This could allow a remote attacker to cause a denial of service by sending many crafted parameters.
USN-1428-1: OpenSSL vulnerability - 24th April 2012
It was discovered that the fix for CVE-2012-2110 was incomplete for OpenSSL 0.9.8. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges. Ubuntu 11.10 was not affected by this issue. (CVE-2012-2131) The original ...
USN-1427-1: MySQL vulnerabilities - 24th April 2012
Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.1.62 in Ubuntu 10.04 LTS, Ubuntu 11.04 and Ubuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL 5.0.96. In addition to security fixes, the updated ...
USN-1426-1: Linux kernel (EC2) vulnerabilities - 24th April 2012
Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem ...
CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097
USN-1425-1: Linux kernel vulnerabilities - 24th April 2012
Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem ...
CVE-2011-4347 CVE-2012-0045 CVE-2012-1090 CVE-2012-1097
USN-1400-5: GSettings desktop schemas regression - 20th April 2012
USN-1400-1 fixed vulnerabilities in Firefox. Firefox 11 started using GSettings to access the system proxy settings. If there is a GSettings proxy settings schema, Firefox will consume it. The GSettings proxy settings schema that was shipped by default was unused by other applications and broke Firefox's ability to use system ...
USN-1424-1: OpenSSL vulnerabilities - 19th April 2012
It was discovered that OpenSSL could be made to dereference a NULL pointer when processing S/MIME messages. A remote attacker could use this to cause a denial of service. These issues did not affect Ubuntu 8.04 LTS. (CVE-2006-7250, CVE-2012-1165) Tavis Ormandy discovered that OpenSSL did not properly perform bounds checking ...
CVE-2006-7250 CVE-2012-1165 CVE-2012-2110
USN-1423-1: Samba vulnerability - 12th April 2012
Brian Gorenc discovered that Samba incorrectly calculated array bounds when handling remote procedure calls (RPC) over the network. A remote, unauthenticated attacker could exploit this to execute arbitrary code as the root user. (CVE-2012-1182)
USN-1422-1: Linux kernel vulnerabilities - 12th April 2012
Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem ...
CVE-2011-4347 CVE-2012-0045 CVE-2012-1097 CVE-2012-1146
USN-1421-1: Linux kernel (Maverick backport) vulnerabilities - 12th April 2012
Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem ...
CVE-2011-4347 CVE-2012-0045 CVE-2012-1097 CVE-2012-1146
USN-1420-1: NVIDIA graphics drivers vulnerability - 11th April 2012
It was discovered that the NVIDIA graphics drivers could be reconfigured to gain access to arbitrary system memory. A local attacker could use this issue to possibly gain root privileges.
USN-1419-1: Puppet vulnerabilities - 11th April 2012
It was discovered that Puppet used a predictable filename when downloading Mac OS X package files. A local attacker could exploit this to overwrite arbitrary files. (CVE-2012-1906) It was discovered that Puppet incorrectly handled filebucket retrieval requests. A local attacker could exploit this to read arbitrary files. (CVE-2012-1986) It was ...
CVE-2012-1906 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 CVE-2012-1989
USN-1418-1: GnuTLS vulnerabilities - 5th April 2012
Alban Crequy discovered that the GnuTLS library incorrectly checked array bounds when copying TLS session data. A remote attacker could crash a client application, leading to a denial of service, as the client application prepared for TLS session resumption. (CVE-2011-4128) Matthew Hall discovered that the GnuTLS library incorrectly handled TLS ...
USN-1417-1: libpng vulnerability - 5th April 2012
It was discovered that libpng incorrectly handled certain memory operations. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or execute code with the privileges of the user invoking the program.
USN-1416-1: tiff vulnerabilities - 4th April 2012
Alexander Gavrun discovered that the TIFF library incorrectly allocated space for a tile. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could execute arbitrary code with user privileges, or crash the application, leading to a denial of service. (CVE-2012-1173) It ...
USN-1400-4: Thunderbird regressions - 3rd April 2012
USN-1400-3 fixed vulnerabilities in Thunderbird. The new Thunderbird version caused a regression in IMAP connections and mail filtering. This update fixes the problem. Original advisory details: Soroush Dalili discovered that Firefox did not adequately protect against dropping JavaScript links onto a frame. A remote attacker could, through cross-site scripting (XSS), ...
LP: 962631 http://www.ubuntu.com/usn/usn-1400-3/
USN-1414-1: Aptdaemon vulnerability - 2nd April 2012
It was discovered that Aptdaemon incorrectly handled installing packages without performing a transaction simulation. An attacker could possibly use this flaw to install altered packages.
USN-1197-8: ca-certificates-java regression - 29th March 2012
USN-1197-7 fixed a vulnerability in ca-certificates-java. The new package broke upgrades from Ubuntu 11.04 to Ubuntu 11.10. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Dutch Certificate Authority DigiNotar had mis-issued multiple fraudulent certificates. These certificates could allow an attacker to ...
USN-1413-1: Nova vulnerability - 29th March 2012
Dan Prince discovered that Nova did not properly perform input validation on the length of server names. An authenticated attacker could issue requests using long server names to exhaust the storage resources containing the Nova API log file.
USN-1412-1: Linux kernel vulnerability - 29th March 2012
Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service.
USN-1197-7: ca-certificates-java vulnerability - 27th March 2012
USN-1197-5 addressed an issue in ca-certificates pertaining to the Dutch Certificate Authority DigiNotar mis-issuing fraudulent certificates. This update provides the corresponding update for ca-certificates-java. Original advisory details: It was discovered that Dutch Certificate Authority DigiNotar had mis-issued multiple fraudulent certificates. These certificates could allow an attacker to perform a "man ...
USN-1409-1: Linux kernel (Oneiric backport) vulnerabilities - 27th March 2012
Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service. (CVE-2011-3347)
USN-1406-1: Linux kernel vulnerabilities - 27th March 2012
This USN was released in error and has been removed.
USN-1411-1: Linux kernel vulnerability - 27th March 2012
Louis Rilling discovered a flaw in Linux kernel's clone command when CLONE_IO is specified. An unprivileged local user could exploit this to cause a denial of service.
USN-1410-1: Linux kernel (EC2) vulnerability - 27th March 2012
Louis Rilling discovered a flaw in Linux kernel's clone command when CLONE_IO is specified. An unprivileged local user could exploit this to cause a denial of service.
USN-1408-1: Linux kernel (FSL-IMX51) vulnerability - 27th March 2012
Louis Rilling discovered a flaw in Linux kernel's clone command when CLONE_IO is specified. An unprivileged local user could exploit this to cause a denial of service.
USN-1407-1: Linux kernel vulnerabilities - 27th March 2012
This USN was released in error and has been removed.
USN-1405-1: Linux kernel vulnerabilities - 27th March 2012
Paolo Bonzini discovered a flaw in Linux's handling of the SG_IO ioctl command. A local user, or user in a VM could exploit this flaw to bypass restrictions and gain read/write access to all data on the affected block device. (CVE-2011-4127) A flaw was found in the Linux kernel's ext4 ...
USN-1404-1: Linux kernel (OMAP4) vulnerability - 27th March 2012
Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan) and be2net drivers. An attacker on the local network could exploit this flaw to cause a denial of service. (CVE-2011-3347) A flaw was found in the Linux kernel's ext4 file system when mounting a corrupt filesystem. A user-assisted ...
USN-1401-2: Thunderbird vulnerabilities - 23rd March 2012
USN-1401-1 fixed vulnerabilities in Xulrunner. This update provides the corresponding fixes for Thunderbird. Original advisory details: It was discovered that a flaw in the Mozilla SVG implementation could result in an out-of-bounds memory access if SVG elements were removed during a DOMAttrModified event handler. If the user were tricked into ...
CVE-2011-3658 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0461 CVE-2012-0464 LP: 953720