Recent content on Ubuntu security notices
USN-4535-1: RDFLib vulnerability
23 September 2020, 4:48 pmcommand-line. An attacker could possibly use this issue to cause RDFLib to
execute arbitrary code. (CVE-2019-7653)
USN-4534-1: Perl DBI module vulnerability
23 September 2020, 12:52 pmAn attacker could possibly use this issue to cause a crash or expose sensitive
information.
USN-4526-1: Linux kernel vulnerabilities
23 September 2020, 7:42 amthe Linux kernel did not properly deallocate memory in some situations. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-18808)
It was discovered that the Conexant 23885 TV card device driver for the
Linux kernel did not properly deallocate memory in some error conditions. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-19054)
It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel
did not properly deallocate memory in certain error conditions. A local
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2019-19061)
It was discovered that the AMD Audio Coprocessor driver for the Linux
kernel did not properly deallocate memory in certain error conditions. A
local attacker with the ability to load modules could use this to cause a
denial of service (memory exhaustion). (CVE-2019-19067)
It was discovered that the Atheros HTC based wireless driver in the Linux
kernel did not properly deallocate in certain error conditions. A local
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2019-19073, CVE-2019-19074)
It was discovered that the F2FS file system in the Linux kernel did not
properly perform bounds checking in some situations, leading to an out-of-
bounds read. A local attacker could possibly use this to expose sensitive
information (kernel memory). (CVE-2019-9445)
It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)
It was discovered that the cgroup v2 subsystem in the Linux kernel did not
properly perform reference counting in some situations, leading to a NULL
pointer dereference. A local attacker could use this to cause a denial of
service or possibly gain administrative privileges. (CVE-2020-14356)
It was discovered that the state of network RNG in the Linux kernel was
potentially observable. A remote attacker could use this to expose
sensitive information. (CVE-2020-16166)
USN-4533-1: LTSP Display Manager vulnerabilities
22 September 2020, 8:02 pmincorrectly handled user logins from unsupported shells. A local attacker
could possibly use this issue to gain root privileges. (CVE-2019-20373)
USN-4525-1: Linux kernel vulnerabilities
22 September 2020, 7:12 pmthe Linux kernel did not properly deallocate memory in some situations. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-18808)
It was discovered that the Conexant 23885 TV card device driver for the
Linux kernel did not properly deallocate memory in some error conditions. A
local attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2019-19054)
It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)
It was discovered that the state of network RNG in the Linux kernel was
potentially observable. A remote attacker could use this to expose
sensitive information. (CVE-2020-16166)
It was discovered that the NFS client implementation in the Linux kernel
did not properly perform bounds checking before copying security labels in
some situations. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2020-25212)
USN-4532-1: Netty vulnerabilities
22 September 2020, 4:15 pmBy sending an HTTP header with whitespace before the colon, a remote
attacker could possibly use this issue to perform an HTTP request
smuggling attack. (CVE-2019-16869)
It was discovered that Netty incorrectly handled certain HTTP headers.
By sending an HTTP header that lacks a colon, a remote attacker could
possibly use this issue to perform an HTTP request smuggling attack.
(CVE-2019-20444)
It was discovered that Netty incorrectly handled certain HTTP headers.
By sending a Content-Length header accompanied by a second Content-Length
header, or by a Transfer-Encoding header, a remote attacker could possibly
use this issue to perform an HTTP request smuggling attack.
(CVE-2019-20445)
USN-4530-1: Debian-LAN vulnerabilities
22 September 2020, 4:00 pmfor the Kerberos admin server. A local attacker could possibly use this
issue to change the passwords of other users, leading to root privilege
escalation. (CVE-2019-3467)
USN-4531-1: BusyBox vulnerability
22 September 2020, 1:57 pmcertificates. A remote attacker could possibly use this issue to intercept
secure communications.
USN-4529-1: FreeImage vulnerabilities
22 September 2020, 12:42 pmoperations. If a user were tricked into opening a crafted TIFF file, a
remote attacker could use this issue to cause a heap buffer overflow,
resulting in a denial of service attack. (CVE-2019-12211)
It was discovered that FreeImage incorrectly processed images under
certain circumstances. If a user were tricked into opening a crafted TIFF
file, a remote attacker could possibly use this issue to cause a stack
exhaustion condition, resulting in a denial of service attack.
(CVE-2019-12213)
USN-4528-1: Ceph vulnerabilities
22 September 2020, 11:17 amExposeHeader tags. A remote attacker could possibly use this issue to
preform an HTTP header injection attack. (CVE-2020-10753)
Lei Cao discovered that Ceph incorrectly handled certain POST requests with
invalid tagging XML. A remote attacker could possibly use this issue to
cause Ceph to crash, leading to a denial of service. This issue only
affected Ubuntu 18.04 LTS. (CVE-2020-12059)
Robin H. Johnson discovered that Ceph incorrectly handled certain S3
requests. A remote attacker could possibly use this issue to perform a
XSS attack. (CVE-2020-1760)