Ubuntu Secutity Notices

Subscribe to Ubuntu Secutity Notices hírcsatorna
Recent content on Ubuntu security notices
Frissítve: 11 perc 19 másodperc
2020. november 26.

USN-4382-2: FreeRDP vulnerabilities

It was discovered that FreeRDP incorrectly handled certain memory operations. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.
2020. november 26.

USN-4646-2: poppler regression

USN-4646-1 fixed vulnerabilities in poppler. The fix for CVE-2019-10871 introduced a regression causing certain applications linked against poppler to fail. This update backs out the fix pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that Poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service.
2020. november 26.

USN-4649-1: xdg-utils vulnerability

Jens Mueller discovered that xdg-utils incorrectly handled certain URI. An attacker could possibly use this issue to expose sensitive information.
2020. november 26.

USN-4648-1: WebKitGTK vulnerabilities

A large number of security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
2020. november 25.

USN-4647-1: Thunderbird vulnerabilities

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across origins, bypass security restrictions, conduct phishing attacks, conduct cross-site scripting (XSS) attacks, bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or execute arbitrary code.
2020. november 25.

USN-4646-1: poppler vulnerabilities

It was discovered that Poppler incorrectly handled certain files. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service.
2020. november 25.

USN-4645-1: Mutt vulnerability

It was discovered that Mutt incorrectly handled certain connections. An attacker could possibly use this issue to expose sensitive information.
2020. november 24.

USN-4644-1: igraph vulnerability

It was discovered that igraph mishandled certain malformed XML. An attacker could use this vulnerability to cause a denial of service (crash).
2020. november 24.

USN-4643-1: atftp vulnerabilities

It was discovered that atftp's FTP server did not properly handler certain input. An attacker could use this to to cause a denial of service (crash) or possibly execute arbitrary code. (CVE-2019-11365) It was discovered that atftp's FTP server did not make proper use of mutexes when locking certain data structures. An attacker could use this to cause a denial of service via a NULL pointer dereference. (CVE-2019-11366)
2020. november 24.

USN-4642-1: PDFResurrect vulnerability

It was discovered that PDFResurrect incorrectly handled certain memory operations during PDF summary generation. An attacker could use this to cause out-of-bounds writes, resulting in a denial of service (system crash) or arbitrary code execution.
2020. november 23.

USN-4641-1: libextractor vulnerabilities

It was discovered that Libextractor incorrectly handled zero sample rate. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15266) It was discovered that Libextractor incorrectly handled certain FLAC metadata. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15267) It was discovered that Libextractor incorrectly handled certain specially crafted files. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15600, CVE-2018-16430, CVE-2018-20430) It was discovered that Libextractor incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15601) It was discovered that Libextractor incorrectly handled integers. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15602) It was discovered that Libextractore incorrectly handled certain crafted files. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-15922) It was discovered tha Libextractor incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. (CVE-2017-17440) It was discovered that Libextractor incorrectly handled certain malformed files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-14346) It was discovered that Libextractor incorrectly handled malformed files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-14347) It was discovered that Libextractor incorrectly handled metadata. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20431)
2020. november 23.

USN-4640-1: PulseAudio vulnerability

James Henstridge discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle snap client connections. An attacker could possibly use this to expose sensitive information.
2020. november 23.

USN-4634-2: OpenLDAP vulnerabilities

USN-4634-1 fixed several vulnerabilities in OpenLDAP. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: It was discovered that OpenLDAP incorrectly handled certain malformed inputs. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service.
2020. november 19.

USN-4637-2: Firefox vulnerabilities

USN-4637-1 fixed vulnerabilities in Firefox. This update provides the corresponding updates for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across origins, bypass security restrictions, conduct phishing attacks, conduct cross-site scripting (XSS) attacks, bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or execute arbitrary code.
2020. november 19.

USN-4639-1: phpMyAdmin vulnerabilities

It was discovered that there was a bug in the way phpMyAdmin handles the phpMyAdmin Configuration Storage tables. An authenticated attacker could use this vulnerability to cause phpmyAdmin to leak sensitive files. (CVE-2018-19968) It was discovered that phpMyAdmin incorrectly handled user input. An attacker could possibly use this for an XSS attack. (CVE-2018-19970) It was discovered that phpMyAdmin mishandled certain input. An attacker could use this vulnerability to execute a cross-site scripting (XSS) attack via a crafted URL. (CVE-2018-7260) It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database name. (CVE-2019-11768) It was discovered that phpmyadmin incorrectly handled some requests. An attacker could possibly use this to perform a CSRF attack. (CVE-2019-12616) It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted username. (CVE-2019-6798, CVE-2020-10804, CVE-2020-5504) It was discovered that phpMyAdmin would allow sensitive files to be leaked if certain configuration options were set. An attacker could use this vulnerability to access confidential information. (CVE-2019-6799) It was discovered that phpMyAdmin failed to sanitize certain input. An attacker could use this vulnerability to execute an SQL injection attack via a specially crafted database or table name. (CVE-2020-10802) It was discovered that phpMyAdmin did not properly handle data from the database when displaying it. If an attacker were to insert specially- crafted data into certain database tables, the attacker could execute a cross-site scripting (XSS) attack. (CVE-2020-10803) It was discovered that phpMyAdmin was vulnerable to an XSS attack. If a victim were to click on a crafted link, an attacker could run malicious JavaScript on the victim's system. (CVE-2020-26934) It was discovered that phpMyAdmin did not properly handler certain SQL statements in the search feature. An attacker could use this vulnerability to inject malicious SQL into a query. (CVE-2020-26935)
2020. november 19.

USN-4638-1: c-ares vulnerability

It was discovered that c-ares incorrectly handled certain DNS requests. An attacker could possibly use this issue to cause a denial of service.
2020. november 18.

USN-4637-1: Firefox vulnerabilities

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across origins, bypass security restrictions, conduct phishing attacks, conduct cross-site scripting (XSS) attacks, bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or execute arbitrary code.
2020. november 17.

USN-4636-1: LibVNCServer, Vino vulnerability

It was discovered that LibVNCServer incorrectly handled certain internals. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Vino package ships with a LibVNCServer source and all listed releases were affected for this package.
2020. november 17.

USN-4635-1: Kerberos vulnerability

Demi Obenour discovered that Kerberos incorrectly handled certain ASN.1. An attacker could possibly use this issue to cause a denial of service.
2020. november 17.

USN-4634-1: OpenLDAP vulnerabilities

It was discovered that OpenLDAP incorrectly handled certain malformed inputs. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service.