Ubuntu Security Advisories

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.10
• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software Description

• firefox - Mozilla Open Source web browser

Details

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the prompt for opening an external application, obtain sensitive information, or execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.10

firefox - 82.0+build2-0ubuntu0.20.10.1

Ubuntu 20.04 LTS

firefox - 82.0+build2-0ubuntu0.20.04.1

Ubuntu 18.04 LTS

firefox - 82.0+build2-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References

• CVE-2020-15254
• CVE-2020-15680
• CVE-2020-15681
• CVE-2020-15682
• CVE-2020-15683
• CVE-2020-15684
• CVE-2020-15969

python-pip vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

pip could be made to overwrite files as the administrator.

Software Description

• python-pip - Python package installer

Details

It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack. (CVE-2019-20916)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

python-pip - 9.0.1-2.3~ubuntu1.18.04.4

python3-pip - 9.0.1-2.3~ubuntu1.18.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-20916

netty-3.9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Netty could be made to expose sensitive information over the network.

Software Description

• netty-3.9 - Asynchronous event-driven network application framework

Details

It was discovered that Netty had HTTP request smuggling vulnerabilities. A remote attacker could used it to extract sensitive information. (CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libnetty-3.9-java - 3.9.0.Final-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-16869
• CVE-2019-20444
• CVE-2019-20445
• CVE-2020-7238

freetype vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM

Summary

FreeType could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

• freetype - FreeType 2 is a font engine library

Details

USN-4593-1 fixed a vulnerability in FreeType. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

libfreetype6 - 2.5.2-1ubuntu2.8+esm2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all the necessary changes.

References

• USN-4593-1
• CVE-2020-15999

libetpan vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

LibEtPan could be made to expose sensitive information over the network.

Software Description

• libetpan - Mail Framework for C Language

Details

It was discovered that LibEtPan incorrectly handled STARTTLS when using IMAP, SMTP and POP3. A remote attacker could possibly use this issue to perform a response injection attack. (CVE-2020-15953)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libetpan-dev - 1.6-1ubuntu0.1

libetpan17 - 1.6-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-15953

libapache2-mod-auth-mellon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in mod_auth_mellon.

Software Description

• libapache2-mod-auth-mellon - SAML 2.0 authentication module for Apache

Details

François Kooman discovered that mod_auth_mellon incorrectly handled cookies. An attacker could possibly use this issue to cause a Cross-Site Session Transfer attack. (CVE-2017-6807)

It was discovered that mod_auth_mellon incorrectly handled certain requests. An attacker could possibly use this issue to redirect a user to a malicious URL. (CVE-2019-3877)

It was discovered that mod_auth_mellon incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2019-3878)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libapache2-mod-auth-mellon - 0.12.0-2+deb9u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-6807
• CVE-2019-3877
• CVE-2019-3878

pam-python vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Pam-python could be made to crash or run programs as an administrator if certain environment variables are set.

Software Description

• pam-python - Enables PAM modules to be written in Python

Details

Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libpam-python - 1.0.4-1.1+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4552-1
• CVE-2019-16729

tomcat9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS

Summary

Several security issues were fixed in Tomcat.

Software Description

• tomcat9 - Apache Tomcat 9 - Servlet and JSP engine

Details

It was discovered that Tomcat did not properly manage HTTP/2 streams. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. (CVE-2020-11996)

It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could possibly use this to generate an OutOfMemoryException, resulting in a denial of service. (CVE-2020-13934)

It was discovered that Tomcat did not properly validate the payload length in a WebSocket frame. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service. (CVE-2020-13935)

It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-9484)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

libtomcat9-embed-java - 9.0.31-1ubuntu0.1

libtomcat9-java - 9.0.31-1ubuntu0.1

tomcat9 - 9.0.31-1ubuntu0.1

tomcat9-common - 9.0.31-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-11996
• CVE-2020-13934
• CVE-2020-13935
• CVE-2020-9484

grunt vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Grunt could be made to run programs if it received specially crafted input.

Software Description

• grunt - JavaScript task runner/build system/maintainer tool

Details

It was discovered that Grunt did not properly load yaml files. An attacker could possibly use this to execute arbitrary code. (CVE-2020-7729)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

grunt - 1.0.1-8ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-7729

quassel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Quassel could be made to crash or run programs if it received specially crafted network traffic.

Software Description

• quassel - distributed IRC client - monolithic core+client

Details

It was discovered that Quassel incorrectly handled Qdatastream protocol. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1000178)

It was discovered that Quassel incorrectly handled certain login requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-1000179)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

quassel - 1:0.12.4-3ubuntu1.18.04.3

quassel-core - 1:0.12.4-3ubuntu1.18.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-1000178
• CVE-2018-1000179

italc vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in iTALC.

Software Description

• italc - didact tool which allows teachers to view and control computer labs

Details

Nicolas Ruff discovered that iTALC had buffer overflows, divide-by-zero errors and didn’t check malloc return values. A remote attacker could use these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055)

Josef Gajdusek discovered that iTALC had heap-based buffer overflow vulnerabilities. A remote attacker could used these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2016-9941, CVE-2016-9942)

It was discovered that iTALC had an out-of-bounds write, multiple heap out-of-bounds writes, an infinite loop, improper initializations, and null pointer vulnerabilities. A remote attacker could used these issues to cause a denial of service or possibly execute arbitrary code. (CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

italc-client - 1:2.0.2+dfsg1-4ubuntu0.1

italc-master - 1:2.0.2+dfsg1-4ubuntu0.1

libitalccore - 1:2.0.2+dfsg1-4ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2014-6051
• CVE-2014-6052
• CVE-2014-6053
• CVE-2014-6054
• CVE-2014-6055
• CVE-2016-9941
• CVE-2016-9942
• CVE-2018-15127
• CVE-2018-20019
• CVE-2018-20020
• CVE-2018-20021
• CVE-2018-20022
• CVE-2018-20023
• CVE-2018-20024
• CVE-2018-20748
• CVE-2018-20749
• CVE-2018-20750
• CVE-2018-7225
• CVE-2019-15681

php-imagick vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

PHP ImageMagick could be made to crash if it received specially crafted input.

Software Description

• php-imagick - PHP extension to create and modify images using the ImageMagick API

Details

It was discovered that PHP ImageMagick extension didn’t check the address used by an array. An attacker could use this issue to cause PHP ImageMagick to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

php-imagick - 3.4.3~rc2-2ubuntu4.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-11037

freetype vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

FreeType could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

• freetype - FreeType 2 is a font engine library

Details

Sergei Glazunov discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

libfreetype6 - 2.10.1-2ubuntu0.1

Ubuntu 18.04 LTS

libfreetype6 - 2.8.1-2ubuntu2.1

Ubuntu 16.04 LTS

libfreetype6 - 2.6.1-0.1ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all the necessary changes.

References

• CVE-2020-15999

linux-oem-osp1, linux-raspi2-5.3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-oem-osp1 - Linux kernel for OEM systems
• linux-raspi2-5.3 - Linux kernel for Raspberry Pi (V8) systems

Details

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351)

Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). (CVE-2020-12352)

Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel did not properly handle event advertisements of certain sizes, leading to a heap-based buffer overflow. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-24490)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-5.0.0-1070-oem-osp1 - 5.0.0-1070.76

linux-image-5.3.0-1036-raspi2 - 5.3.0-1036.38

linux-image-oem-osp1 - 5.0.0.1070.68

linux-image-raspi2-hwe-18.04 - 5.3.0.1036.25

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2020-12351
• CVE-2020-12352
• CVE-2020-24490

linux, linux-hwe, linux-hwe-5.4, linux-oem, linux-raspi, linux-raspi-5.4, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-raspi - Linux kernel for Raspberry Pi (V8) systems
• linux-hwe-5.4 - Linux hardware enablement (HWE) kernel
• linux-oem - Linux kernel for OEM systems
• linux-raspi-5.4 - Linux kernel for Raspberry Pi (V8) systems
• linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
• linux-hwe - Linux hardware enablement (HWE) kernel

Details

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351)

Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). (CVE-2020-12352)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

linux-image-5.4.0-1022-raspi - 5.4.0-1022.25

linux-image-5.4.0-52-generic - 5.4.0-52.57

linux-image-5.4.0-52-generic-lpae - 5.4.0-52.57

linux-image-5.4.0-52-lowlatency - 5.4.0-52.57

linux-image-generic - 5.4.0.52.55

linux-image-generic-hwe-18.04 - 5.4.0.52.55

linux-image-generic-hwe-18.04-edge - 5.4.0.52.55

linux-image-generic-hwe-20.04 - 5.4.0.52.55

linux-image-generic-lpae - 5.4.0.52.55

linux-image-generic-lpae-hwe-18.04 - 5.4.0.52.55

linux-image-generic-lpae-hwe-18.04-edge - 5.4.0.52.55

linux-image-generic-lpae-hwe-20.04 - 5.4.0.52.55

linux-image-lowlatency - 5.4.0.52.55

linux-image-lowlatency-hwe-18.04 - 5.4.0.52.55

linux-image-lowlatency-hwe-18.04-edge - 5.4.0.52.55

linux-image-lowlatency-hwe-20.04 - 5.4.0.52.55

linux-image-oem - 5.4.0.52.55

linux-image-oem-osp1 - 5.4.0.52.55

linux-image-raspi - 5.4.0.1022.57

linux-image-raspi-hwe-18.04 - 5.4.0.1022.57

linux-image-raspi-hwe-18.04-edge - 5.4.0.1022.57

linux-image-raspi2 - 5.4.0.1022.57

linux-image-raspi2-hwe-18.04 - 5.4.0.1022.57

linux-image-raspi2-hwe-18.04-edge - 5.4.0.1022.57

linux-image-virtual - 5.4.0.52.55

linux-image-virtual-hwe-18.04 - 5.4.0.52.55

linux-image-virtual-hwe-18.04-edge - 5.4.0.52.55

linux-image-virtual-hwe-20.04 - 5.4.0.52.55

Ubuntu 18.04 LTS

linux-image-4.15.0-1090-snapdragon - 4.15.0-1090.99

linux-image-4.15.0-1100-oem - 4.15.0-1100.110

linux-image-4.15.0-122-generic - 4.15.0-122.124

linux-image-4.15.0-122-generic-lpae - 4.15.0-122.124

linux-image-4.15.0-122-lowlatency - 4.15.0-122.124

linux-image-5.4.0-1022-raspi - 5.4.0-1022.25~18.04.1

linux-image-5.4.0-52-generic - 5.4.0-52.57~18.04.1

linux-image-5.4.0-52-generic-lpae - 5.4.0-52.57~18.04.1

linux-image-5.4.0-52-lowlatency - 5.4.0-52.57~18.04.1

linux-image-generic - 4.15.0.122.109

linux-image-generic-hwe-18.04 - 5.4.0.52.57~18.04.46

linux-image-generic-lpae - 4.15.0.122.109

linux-image-generic-lpae-hwe-18.04 - 5.4.0.52.57~18.04.46

linux-image-lowlatency - 4.15.0.122.109

linux-image-lowlatency-hwe-18.04 - 5.4.0.52.57~18.04.46

linux-image-oem - 4.15.0.1100.104

linux-image-powerpc-e500mc - 4.15.0.122.109

linux-image-powerpc-smp - 4.15.0.122.109

linux-image-powerpc64-emb - 4.15.0.122.109

linux-image-powerpc64-smp - 4.15.0.122.109

linux-image-raspi-hwe-18.04 - 5.4.0.1022.26

linux-image-snapdragon - 4.15.0.1090.93

linux-image-snapdragon-hwe-18.04 - 5.4.0.52.57~18.04.46

linux-image-virtual - 4.15.0.122.109

linux-image-virtual-hwe-18.04 - 5.4.0.52.57~18.04.46

Ubuntu 16.04 LTS

linux-image-4.15.0-122-generic - 4.15.0-122.124~16.04.1

linux-image-4.15.0-122-generic-lpae - 4.15.0-122.124~16.04.1

linux-image-4.15.0-122-lowlatency - 4.15.0-122.124~16.04.1

linux-image-generic-hwe-16.04 - 4.15.0.122.122

linux-image-generic-hwe-16.04-edge - 4.15.0.122.122

linux-image-generic-lpae-hwe-16.04 - 4.15.0.122.122

linux-image-generic-lpae-hwe-16.04-edge - 4.15.0.122.122

linux-image-lowlatency-hwe-16.04 - 4.15.0.122.122

linux-image-lowlatency-hwe-16.04-edge - 4.15.0.122.122

linux-image-oem - 4.15.0.122.122

linux-image-virtual-hwe-16.04 - 4.15.0.122.122

linux-image-virtual-hwe-16.04-edge - 4.15.0.122.122

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2020-12351
• CVE-2020-12352

flightgear vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

FlightGear could be made to crash if it received specially crafted input.

Software Description

• flightgear - Flight Gear Flight Simulator

Details

It was discovered that FlightGear could write arbitrary files if received a special nasal script. A remote attacker could exploit this with a crafted file to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

flightgear - 3.4.0-3ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2016-9956

collabtive vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Collabtive could be made to run programs if it received specially crafted network traffic from an authenticated user.

Software Description

• collabtive - Web-based project management software

Details

It was discovered that Collabtive did not properly validate avatar image file uploads. An authenticated user could exploit this with a crafted file to cause Collabtive to execute arbitrary code. (CVE-2015-0258)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

collabtive - 2.0+dfsg-6ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2015-0258

newsbeuter vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Newsbeuter could be made to crash or run programs as your login if it opened a malicious file.

Software Description

• newsbeuter - open-source RSS/Atom feed reader for text terminals

Details

It was discovered that Newsbeuter didn’t handle the command line input properly. An remote attacker could use it to ran remote code by crafting a special input file. (CVE-2017-12904)

It was discovered that Newsbeuter didn’t handle metacharacters in its filename properly. An remote attacker could use it to ran remote code by crafting a special filename. (CVE-2017-14500)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

newsbeuter - 2.9-3ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-12904
• CVE-2017-14500

firefox regressions

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

USN-4546-1 caused some minor regressions in Firefox.

Software Description

• firefox - Mozilla Open Source web browser

Details

USN-4546-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, conduct cross-site scripting (XSS) attacks, spoof the site displayed in the download dialog, or execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

firefox - 81.0.2+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS

firefox - 81.0.2+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

firefox - 81.0.2+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References

• USN-4546-1
• LP: 1900032

htmlunit vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

HtmlUnit could be made to crash or run programs as an administrator if it opened a specially crafted file.

Software Description

• htmlunit - headless web browser written in Java

Details

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libhtmlunit-java - 2.8-1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-5529