Recent content on Ubuntu security notices
USN-4924-1: Dnsmasq vulnerabilities
22 April 2021, 4:59 pmsynthesized NSEC records. A remote attacker could possibly use this issue
to prove the non-existence of hostnames that actually exist.
(CVE-2017-15107)
It was discovered that Dnsmasq incorrectly handled certain large DNS
packets. A remote attacker could possibly use this issue to cause Dnsmasq
to crash, resulting in a denial of service. (CVE-2019-14513)
USN-4916-2: Linux kernel regression
22 April 2021, 3:59 amthe fix for CVE-2021-3493 introduced a memory leak in some situations.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the overlayfs implementation in the Linux kernel did
not properly validate the application of file system capabilities with
respect to user namespaces. A local attacker could use this to gain
elevated privileges. (CVE-2021-3493)
Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux
kernel did not properly validate computation of branch displacements in
some situations. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)
USN-4923-1: EDK II vulnerabilities
20 April 2021, 5:08 pmremote attacker could possibly use this issue to cause EDK II to consume
resources, leading to a denial of service. (CVE-2021-28210)
Satoshi Tanda discovered that EDK II incorrectly handled decompressing
certain images. A remote attacker could use this issue to cause EDK II to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2021-28211)
USN-4922-1: Ruby vulnerability
20 April 2021, 5:01 pmparsed and serialized XML documents. A remote attacker could possibly use
this issue to perform an XML round-trip attack.
USN-4921-1: libcaca vulnerability
20 April 2021, 3:41 pmAn attacker could possibly use this issue to execute arbitrary code.
USN-4918-2: ClamAV vulnerabilities
20 April 2021, 2:23 pmthe corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that ClamAV incorrectly handled parsing Excel documents.
A remote attacker could possibly use this issue to cause ClamAV to hang,
resulting in a denial of service. (CVE-2021-1252)
It was discovered that ClamAV incorrectly handled parsing PDF documents. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2021-1404)
It was discovered that ClamAV incorrectly handled parsing email. A remote
attacker could possibly use this issue to cause ClamAV to crash, resulting
in a denial of service. (CVE-2021-1405)
USN-4563-2: NTP vulnerability
20 April 2021, 1:38 pmcorresponding update for Ubuntu 20.04 LTS and Ubuntu 20.10.
Original advisory details:
It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer
dereference into NTP. An attacker could use this vulnerability to cause a
denial of service (crash).
USN-4919-1: OpenSLP vulnerability
19 April 2021, 7:28 pmattacker could use this issue to cause OpenSLP to crash or possibly execute
arbitrary code.
USN-4918-1: ClamAV vulnerabilities
19 April 2021, 5:52 pmA remote attacker could possibly use this issue to cause ClamAV to hang,
resulting in a denial of service. (CVE-2021-1252)
It was discovered that ClamAV incorrectly handled parsing PDF documents. A
remote attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service. (CVE-2021-1404)
It was discovered that ClamAV incorrectly handled parsing email. A remote
attacker could possibly use this issue to cause ClamAV to crash, resulting
in a denial of service. (CVE-2021-1405)
USN-4917-1: Linux kernel vulnerabilities
15 April 2021, 11:35 pmnot properly validate the application of file system capabilities with
respect to user namespaces. A local attacker could use this to gain
elevated privileges. (CVE-2021-3493)
Vincent Dehors discovered that the shiftfs file system in the Ubuntu Linux
kernel did not properly handle faults in copy_from_user() when passing
through ioctls to an underlying file system. A local attacker could use
this to cause a denial of service (memory exhaustion) or execute arbitrary
code. (CVE-2021-3492)
Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux
kernel did not properly validate computation of branch displacements in
some situations. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2021-29154)