Ubuntu Security Notices

Recent content on Ubuntu security notices

USN-5244-1: DBus vulnerability

20 January 2022, 7:51 pm

Daniel Onaca discovered that DBus contained a use-after-free vulnerability,
caused by the incorrect handling of usernames sharing the same UID. An
attacker could possibly use this issue to cause DBus to crash, resulting
in a denial of service.

USN-5243-2: AIDE vulnerability

20 January 2022, 4:12 pm

USN-5243-1 fixed a vulnerability in aide. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

David Bouman discovered that AIDE incorrectly handled base64 operations. A
local attacker could use this issue to cause AIDE to crash, resulting in a
denial of service, or possibly execute arbitrary code.

USN-5243-1: AIDE vulnerability

20 January 2022, 2:48 pm

David Bouman discovered that AIDE incorrectly handled base64 operations. A
local attacker could use this issue to cause AIDE to crash, resulting in a
denial of service, or possibly execute arbitrary code.
It was discovered that Open vSwitch incorrectly handled certain fragmented
packets. A remote attacker could possibly use this issue to cause Open
vSwitch to consume resources, leading to a denial of service.

USN-5021-2: curl vulnerability

20 January 2022, 11:40 am

USN-5021-1 fixed vulnerabilities in curl. This update provides
the corresponding updates for Ubuntu 16.04 ESM.

Original advisory details:

Harry Sintonen and Tomas Hoger discovered that curl incorrectly handled
TELNET connections when the -t option was used on the command line.
Uninitialized data possibly containing sensitive information could be sent
to the remote server, contrary to expectations. (CVE-2021-22898,
CVE-2021-22925)

William Liu and Jamie Hill-Daniel discovered that the file system context
functionality in the Linux kernel contained an integer underflow
vulnerability, leading to an out-of-bounds write. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code.(CVE-2022-0185)

USN-5241-1: QtSvg vulnerabilities

19 January 2022, 6:06 pm

It was discovered that QtSvg incorrectly handled certain malformed SVG
images. If a user or automated system were tricked into opening a specially
crafted image file, a remote attacker could use this issue to cause QtSvg
to crash, resulting in a denial of service, or possibly execute arbitrary
code.
William Liu and Jamie Hill-Daniel discovered that the file system context
functionality in the Linux kernel contained an integer underflow
vulnerability, leading to an out-of-bounds write. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code.

USN-5233-2: ClamAV vulnerability

19 January 2022, 12:42 pm

USN-5233-1 fixed a vulnerability in ClamAV. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled memory when the
CL_SCAN_GENERAL_COLLECT_METADATA scan option was enabled. A remote attacker
could possibly use this issue to cause ClamAV to crash, resulting in a
denial of service.

USN-5234-1: Byobu vulnerability

18 January 2022, 6:29 pm

Sander Bos discovered that Byobu incorrectly handled certain Apport data.
An attacker could possibly use this issue to expose sensitive information.