Ubuntu Security Advisories

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software Description

• thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12395)

It was discovered that the Devtools’ ‘Copy as cURL’ feature did not properly escape the HTTP POST data of a request. If a user were tricked in to using the ‘Copy as cURL’ feature to copy and paste a command with specially crafted data in to a terminal, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2020-12392)

It was discovered that Thunderbird did not correctly handle Unicode whitespace characters within the From email header. An attacker could potentially exploit this to spoof the sender email address that Thunderbird displays. (CVE-2020-12397)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

thunderbird - 1:68.8.0+build2-0ubuntu0.20.04.2

Ubuntu 19.10

thunderbird - 1:68.8.0+build2-0ubuntu0.19.10.2

Ubuntu 18.04 LTS

thunderbird - 1:68.8.0+build2-0ubuntu0.18.04.2

Ubuntu 16.04 LTS

thunderbird - 1:68.8.0+build2-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make all the necessary changes.

References

• CVE-2020-12387
• CVE-2020-12392
• CVE-2020-12395
• CVE-2020-12397
• CVE-2020-6831

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-riscv vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-kvm - Linux kernel for cloud environments
• linux-oracle - Linux kernel for Oracle Cloud systems
• linux-raspi - Linux kernel for Raspberry Pi (V8) systems
• linux-riscv - Linux kernel for RISC-V systems

Details

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

linux-image-5.4.0-1011-aws - 5.4.0-1011.11

linux-image-5.4.0-1011-gcp - 5.4.0-1011.11

linux-image-5.4.0-1011-kvm - 5.4.0-1011.11

linux-image-5.4.0-1011-oracle - 5.4.0-1011.11

linux-image-5.4.0-1011-raspi - 5.4.0-1011.11

linux-image-5.4.0-1012-azure - 5.4.0-1012.12

linux-image-5.4.0-26-generic - 5.4.0-26.30

linux-image-5.4.0-31-generic - 5.4.0-31.35

linux-image-5.4.0-31-generic-lpae - 5.4.0-31.35

linux-image-5.4.0-31-lowlatency - 5.4.0-31.35

linux-image-aws - 5.4.0.1011.14

linux-image-azure - 5.4.0.1012.14

linux-image-gcp - 5.4.0.1011.12

linux-image-generic - 5.4.0.26.33

linux-image-generic-lpae - 5.4.0.31.36

linux-image-gke - 5.4.0.1011.12

linux-image-kvm - 5.4.0.1011.12

linux-image-lowlatency - 5.4.0.31.36

linux-image-oem - 5.4.0.31.36

linux-image-oem-osp1 - 5.4.0.31.36

linux-image-oracle - 5.4.0.1011.12

linux-image-raspi - 5.4.0.1011.11

linux-image-raspi2 - 5.4.0.1011.11

linux-image-virtual - 5.4.0.26.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-19377
• CVE-2020-11565
• CVE-2020-12657
• CVE-2020-12826

linux, linux-aws, linux-aws-5.3, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-kvm - Linux kernel for cloud environments
• linux-oracle - Linux kernel for Oracle Cloud systems
• linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
• linux-aws-5.3 - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure-5.3 - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
• linux-gke-5.3 - Linux kernel for Google Container Engine (GKE) systems
• linux-hwe - Linux hardware enablement (HWE) kernel
• linux-oracle-5.3 - Linux kernel for Oracle Cloud systems

Details

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377)

Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

linux-image-5.3.0-1017-kvm - 5.3.0-1017.19

linux-image-5.3.0-1018-oracle - 5.3.0-1018.20

linux-image-5.3.0-1019-aws - 5.3.0-1019.21

linux-image-5.3.0-1020-gcp - 5.3.0-1020.22

linux-image-5.3.0-1022-azure - 5.3.0-1022.23

linux-image-5.3.0-1025-raspi2 - 5.3.0-1025.27

linux-image-5.3.0-53-generic - 5.3.0-53.47

linux-image-5.3.0-53-generic-lpae - 5.3.0-53.47

linux-image-5.3.0-53-lowlatency - 5.3.0-53.47

linux-image-5.3.0-53-snapdragon - 5.3.0-53.47

linux-image-aws - 5.3.0.1019.31

linux-image-azure - 5.3.0.1022.41

linux-image-gcp - 5.3.0.1020.31

linux-image-generic - 5.3.0.53.45

linux-image-generic-lpae - 5.3.0.53.45

linux-image-gke - 5.3.0.1020.31

linux-image-kvm - 5.3.0.1017.19

linux-image-lowlatency - 5.3.0.53.45

linux-image-oracle - 5.3.0.1018.33

linux-image-raspi2 - 5.3.0.1025.22

linux-image-snapdragon - 5.3.0.53.45

linux-image-virtual - 5.3.0.53.45

Ubuntu 18.04 LTS

linux-image-5.3.0-1018-oracle - 5.3.0-1018.20~18.04.1

linux-image-5.3.0-1019-aws - 5.3.0-1019.21~18.04.1

linux-image-5.3.0-1020-gcp - 5.3.0-1020.22~18.04.1

linux-image-5.3.0-1020-gke - 5.3.0-1020.22~18.04.1

linux-image-5.3.0-1022-azure - 5.3.0-1022.23~18.04.1

linux-image-5.3.0-53-generic - 5.3.0-53.47~18.04.1

linux-image-5.3.0-53-generic-lpae - 5.3.0-53.47~18.04.1

linux-image-5.3.0-53-lowlatency - 5.3.0-53.47~18.04.1

linux-image-aws - 5.3.0.1019.20

linux-image-aws-edge - 5.3.0.1019.20

linux-image-azure - 5.3.0.1022.22

linux-image-azure-edge - 5.3.0.1022.22

linux-image-gcp - 5.3.0.1020.19

linux-image-gcp-edge - 5.3.0.1020.19

linux-image-generic-hwe-18.04 - 5.3.0.53.109

linux-image-generic-lpae-hwe-18.04 - 5.3.0.53.109

linux-image-gke-5.3 - 5.3.0.1020.10

linux-image-gkeop-5.3 - 5.3.0.53.109

linux-image-lowlatency-hwe-18.04 - 5.3.0.53.109

linux-image-oracle - 5.3.0.1018.19

linux-image-snapdragon-hwe-18.04 - 5.3.0.53.109

linux-image-virtual-hwe-18.04 - 5.3.0.53.109

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-19377
• CVE-2019-19769
• CVE-2020-11494
• CVE-2020-11565
• CVE-2020-11608
• CVE-2020-11609
• CVE-2020-11668
• CVE-2020-12657
• CVE-2020-12826

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in ClamAV.

Software Description

• clamav - Anti-virus utility for Unix

Details

USN-4370-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327)

It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3341)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

clamav - 0.102.3+dfsg-0ubuntu0.14.04.1+esm1

Ubuntu 12.04 ESM

clamav - 0.102.3+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

• USN-4370-1
• CVE-2020-3327
• CVE-2020-3341

qemu vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in QEMU.

Software Description

• qemu - Machine emulator and virtualizer

Details

It was discovered that QEMU incorrectly handled bochs-display devices. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. This issue only affected Ubuntu 19.10. (CVE-2019-15034)

It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote attacker could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-20382)

It was discovered that QEMU incorrectly generated QEMU Pointer Authentication signatures on ARM. A local attacker could possibly use this issue to bypass PAuth. This issue only affected Ubuntu 19.10. (CVE-2020-10702)

Ziming Zhang discovered that QEMU incorrectly handled ATI VGA emulation. A local attacker in a guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-11869)

Aviv Sasson discovered that QEMU incorrectly handled Slirp networking. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2020-1983)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

qemu - 1:4.2-3ubuntu6.1

qemu-system - 1:4.2-3ubuntu6.1

qemu-system-arm - 1:4.2-3ubuntu6.1

qemu-system-mips - 1:4.2-3ubuntu6.1

qemu-system-ppc - 1:4.2-3ubuntu6.1

qemu-system-s390x - 1:4.2-3ubuntu6.1

qemu-system-sparc - 1:4.2-3ubuntu6.1

qemu-system-x86 - 1:4.2-3ubuntu6.1

Ubuntu 19.10

qemu - 1:4.0+dfsg-0ubuntu9.6

qemu-system - 1:4.0+dfsg-0ubuntu9.6

qemu-system-arm - 1:4.0+dfsg-0ubuntu9.6

qemu-system-mips - 1:4.0+dfsg-0ubuntu9.6

qemu-system-ppc - 1:4.0+dfsg-0ubuntu9.6

qemu-system-s390x - 1:4.0+dfsg-0ubuntu9.6

qemu-system-sparc - 1:4.0+dfsg-0ubuntu9.6

qemu-system-x86 - 1:4.0+dfsg-0ubuntu9.6

Ubuntu 18.04 LTS

qemu - 1:2.11+dfsg-1ubuntu7.26

qemu-system - 1:2.11+dfsg-1ubuntu7.26

qemu-system-arm - 1:2.11+dfsg-1ubuntu7.26

qemu-system-mips - 1:2.11+dfsg-1ubuntu7.26

qemu-system-ppc - 1:2.11+dfsg-1ubuntu7.26

qemu-system-s390x - 1:2.11+dfsg-1ubuntu7.26

qemu-system-sparc - 1:2.11+dfsg-1ubuntu7.26

qemu-system-x86 - 1:2.11+dfsg-1ubuntu7.26

Ubuntu 16.04 LTS

qemu - 1:2.5+dfsg-5ubuntu10.44

qemu-system - 1:2.5+dfsg-5ubuntu10.44

qemu-system-aarch64 - 1:2.5+dfsg-5ubuntu10.44

qemu-system-arm - 1:2.5+dfsg-5ubuntu10.44

qemu-system-mips - 1:2.5+dfsg-5ubuntu10.44

qemu-system-ppc - 1:2.5+dfsg-5ubuntu10.44

qemu-system-s390x - 1:2.5+dfsg-5ubuntu10.44

qemu-system-sparc - 1:2.5+dfsg-5ubuntu10.44

qemu-system-x86 - 1:2.5+dfsg-5ubuntu10.44

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes.

References

• CVE-2019-15034
• CVE-2019-20382
• CVE-2020-10702
• CVE-2020-11869
• CVE-2020-1983

libvirt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in libvirt.

Software Description

• libvirt - Libvirt virtualization toolkit

Details

It was discovered that libvirt incorrectly handled an active pool without a target path. A remote attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2020-10703)

It was discovered that libvirt incorrectly handled memory when retrieving certain domain statistics. A remote attacker could possibly use this issue to cause libvirt to consume resources, resulting in a denial of service. This issue only affected Ubuntu 19.10. (CVE-2020-12430)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

libvirt-clients - 5.4.0-0ubuntu5.4

libvirt-daemon - 5.4.0-0ubuntu5.4

libvirt0 - 5.4.0-0ubuntu5.4

Ubuntu 18.04 LTS

libvirt-clients - 4.0.0-1ubuntu8.17

libvirt-daemon - 4.0.0-1ubuntu8.17

libvirt0 - 4.0.0-1ubuntu8.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

• CVE-2020-10703
• CVE-2020-12430

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in ClamAV.

Software Description

• clamav - Anti-virus utility for Unix

Details

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327)

It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3341)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

clamav - 0.102.3+dfsg-0ubuntu0.20.04.1

Ubuntu 19.10

clamav - 0.102.3+dfsg-0ubuntu0.19.10.1

Ubuntu 18.04 LTS

clamav - 0.102.3+dfsg-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

clamav - 0.102.3+dfsg-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

• CVE-2020-3327
• CVE-2020-3341

linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
• linux-kvm - Linux kernel for cloud environments
• linux-oem - Linux kernel for OEM systems
• linux-oracle - Linux kernel for Oracle Cloud systems
• linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
• linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
• linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-hwe - Linux hardware enablement (HWE) kernel

Details

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

David Gibson discovered that the Linux kernel on Power9 CPUs did not properly save and restore Authority Mask registers state in some situations. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2020-11669)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-4.15.0-101-generic - 4.15.0-101.102

linux-image-4.15.0-101-generic-lpae - 4.15.0-101.102

linux-image-4.15.0-101-lowlatency - 4.15.0-101.102

linux-image-4.15.0-1039-oracle - 4.15.0-1039.43

linux-image-4.15.0-1059-gke - 4.15.0-1059.62

linux-image-4.15.0-1060-kvm - 4.15.0-1060.61

linux-image-4.15.0-1062-raspi2 - 4.15.0-1062.66

linux-image-4.15.0-1067-aws - 4.15.0-1067.71

linux-image-4.15.0-1079-snapdragon - 4.15.0-1079.86

linux-image-4.15.0-1081-oem - 4.15.0-1081.91

linux-image-aws-lts-18.04 - 4.15.0.1067.70

linux-image-generic - 4.15.0.101.91

linux-image-generic-lpae - 4.15.0.101.91

linux-image-gke - 4.15.0.1059.63

linux-image-gke-4.15 - 4.15.0.1059.63

linux-image-kvm - 4.15.0.1060.60

linux-image-lowlatency - 4.15.0.101.91

linux-image-oem - 4.15.0.1081.85

linux-image-oracle-lts-18.04 - 4.15.0.1039.48

linux-image-powerpc-e500mc - 4.15.0.101.91

linux-image-powerpc-smp - 4.15.0.101.91

linux-image-powerpc64-emb - 4.15.0.101.91

linux-image-powerpc64-smp - 4.15.0.101.91

linux-image-raspi2 - 4.15.0.1062.60

linux-image-snapdragon - 4.15.0.1079.82

linux-image-virtual - 4.15.0.101.91

Ubuntu 16.04 LTS

linux-image-4.15.0-101-generic - 4.15.0-101.102~16.04.1

linux-image-4.15.0-101-generic-lpae - 4.15.0-101.102~16.04.1

linux-image-4.15.0-101-lowlatency - 4.15.0-101.102~16.04.1

linux-image-4.15.0-1039-oracle - 4.15.0-1039.43~16.04.1

linux-image-4.15.0-1067-aws - 4.15.0-1067.71~16.04.1

linux-image-4.15.0-1071-gcp - 4.15.0-1071.81~16.04.1

linux-image-aws-hwe - 4.15.0.1067.67

linux-image-gcp - 4.15.0.1071.77

linux-image-generic-hwe-16.04 - 4.15.0.101.108

linux-image-generic-lpae-hwe-16.04 - 4.15.0.101.108

linux-image-gke - 4.15.0.1071.77

linux-image-lowlatency-hwe-16.04 - 4.15.0.101.108

linux-image-oem - 4.15.0.101.108

linux-image-oracle - 4.15.0.1039.32

linux-image-virtual-hwe-16.04 - 4.15.0.101.108

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2020-11494
• CVE-2020-11565
• CVE-2020-11669
• CVE-2020-12657

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in Bind.

Software Description

• bind9 - Internet Domain Name Server

Details

USN-4365-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616)

Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks. (CVE-2020-8617)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

bind9 - 1:9.9.5.dfsg-3ubuntu0.19+esm2

Ubuntu 12.04 ESM

bind9 - 1:9.8.1.dfsg.P1-4ubuntu0.30

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4365-1
• CVE-2020-8616
• CVE-2020-8617

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-oem - Linux kernel for OEM systems

Details

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

Update instructions

The problem can be corrected by updating your kernel livepatch to the following versions:

Ubuntu 18.04 LTS

aws - 67.1

azure - 67.1

gcp - 67.1

generic - 67.1

lowlatency - 67.1

oem - 67.1

Ubuntu 16.04 LTS

aws - 67.1

generic - 67.1

lowlatency - 67.1

Support Information

Kernels older than the levels listed below do not receive livepatch updates. If you are running a kernel version earlier than the one listed below, please upgrade your kernel as soon as possible.

Ubuntu 18.04 LTS

linux - 4.15.0-69

linux-aws - 4.15.0-1054

linux-azure - 5.0.0-1025

linux-gcp - 5.0.0-1025

linux-oem - 4.15.0-1063

Ubuntu 20.04 LTS

linux - 5.4.0-26

linux-aws - 5.4.0-1009

linux-azure - 5.4.0-1010

linux-gcp - 5.4.0-1009

linux-oem - 5.4.0-26

Ubuntu 16.04 LTS

linux - 4.4.0-168

linux-aws - 4.4.0-1098

linux-azure - 4.15.0-1063

linux-hwe - 4.15.0-69

Ubuntu 14.04 ESM

linux-lts-xenial - 4.4.0-168

References

• CVE-2020-11494

linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-kvm - Linux kernel for cloud environments
• linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
• linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
• linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060)

It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

linux-image-4.4.0-1071-kvm - 4.4.0-1071.78

linux-image-4.4.0-1107-aws - 4.4.0-1107.118

linux-image-4.4.0-1133-raspi2 - 4.4.0-1133.142

linux-image-4.4.0-1137-snapdragon - 4.4.0-1137.145

linux-image-4.4.0-179-generic - 4.4.0-179.209

linux-image-4.4.0-179-generic-lpae - 4.4.0-179.209

linux-image-4.4.0-179-lowlatency - 4.4.0-179.209

linux-image-4.4.0-179-powerpc-e500mc - 4.4.0-179.209

linux-image-4.4.0-179-powerpc-smp - 4.4.0-179.209

linux-image-4.4.0-179-powerpc64-emb - 4.4.0-179.209

linux-image-4.4.0-179-powerpc64-smp - 4.4.0-179.209

linux-image-aws - 4.4.0.1107.111

linux-image-generic - 4.4.0.179.187

linux-image-generic-lpae - 4.4.0.179.187

linux-image-kvm - 4.4.0.1071.71

linux-image-lowlatency - 4.4.0.179.187

linux-image-powerpc-e500mc - 4.4.0.179.187

linux-image-powerpc-smp - 4.4.0.179.187

linux-image-powerpc64-emb - 4.4.0.179.187

linux-image-powerpc64-smp - 4.4.0.179.187

linux-image-raspi2 - 4.4.0.1133.133

linux-image-snapdragon - 4.4.0.1137.129

linux-image-virtual - 4.4.0.179.187

Ubuntu 14.04 ESM

linux-image-4.4.0-1067-aws - 4.4.0-1067.71

linux-image-4.4.0-179-generic - 4.4.0-179.209~14.04.1+signed1

linux-image-4.4.0-179-generic-lpae - 4.4.0-179.209~14.04.1

linux-image-4.4.0-179-lowlatency - 4.4.0-179.209~14.04.1+signed1

linux-image-4.4.0-179-powerpc-e500mc - 4.4.0-179.209~14.04.1

linux-image-4.4.0-179-powerpc-smp - 4.4.0-179.209~14.04.1

linux-image-4.4.0-179-powerpc64-emb - 4.4.0-179.209~14.04.1

linux-image-4.4.0-179-powerpc64-smp - 4.4.0-179.209~14.04.1

linux-image-aws - 4.4.0.1067.68

linux-image-generic-lpae-lts-xenial - 4.4.0.179.158

linux-image-generic-lts-xenial - 4.4.0.179.158

linux-image-lowlatency-lts-xenial - 4.4.0.179.158

linux-image-powerpc-e500mc-lts-xenial - 4.4.0.179.158

linux-image-powerpc-smp-lts-xenial - 4.4.0.179.158

linux-image-powerpc64-emb-lts-xenial - 4.4.0.179.158

linux-image-powerpc64-smp-lts-xenial - 4.4.0.179.158

linux-image-virtual-lts-xenial - 4.4.0.179.158

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-19060
• CVE-2020-10942
• CVE-2020-11494
• CVE-2020-11565
• CVE-2020-11608
• CVE-2020-11609
• CVE-2020-11668

linux-gke-5.0, linux-oem-osp1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
• linux-oem-osp1 - Linux kernel for OEM systems

Details

Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

David Gibson discovered that the Linux kernel on Power9 CPUs did not properly save and restore Authority Mask registers state in some situations. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2020-11669)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-5.0.0-1037-gke - 5.0.0-1037.38

linux-image-5.0.0-1052-oem-osp1 - 5.0.0-1052.57

linux-image-gke-5.0 - 5.0.0.1037.25

linux-image-oem-osp1 - 5.0.0.1052.55

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-19769
• CVE-2020-11494
• CVE-2020-11565
• CVE-2020-11608
• CVE-2020-11609
• CVE-2020-11668
• CVE-2020-11669
• CVE-2020-12657

exim4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 ESM

Summary

Exim could be made to access sensitive information or bypass authentication if it received a specially crafted input.

Software Description

• exim4 - Exim is a mail transport agent

Details

It was discovered that Exim incorrectly handled certain inputs. An remote attacker could possibly use this issue to access sensitive information or authentication bypass.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

exim4-base - 4.93-13ubuntu1.1

exim4-daemon-heavy - 4.93-13ubuntu1.1

exim4-daemon-light - 4.93-13ubuntu1.1

Ubuntu 19.10

exim4-base - 4.92.1-1ubuntu3.1

exim4-daemon-heavy - 4.92.1-1ubuntu3.1

exim4-daemon-light - 4.92.1-1ubuntu3.1

Ubuntu 18.04 LTS

exim4-base - 4.90.1-1ubuntu1.5

exim4-daemon-heavy - 4.90.1-1ubuntu1.5

exim4-daemon-light - 4.90.1-1ubuntu1.5

Ubuntu 16.04 LTS

exim4-base - 4.86.2-2ubuntu2.6

exim4-daemon-heavy - 4.86.2-2ubuntu2.6

exim4-daemon-light - 4.86.2-2ubuntu2.6

Ubuntu 14.04 ESM

exim4-base - 4.82-3ubuntu2.4+esm2

exim4-daemon-heavy - 4.82-3ubuntu2.4+esm2

exim4-daemon-light - 4.82-3ubuntu2.4+esm2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-12783

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Bind.

Software Description

• bind9 - Internet Domain Name Server

Details

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616)

Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks. (CVE-2020-8617)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

bind9 - 1:9.16.1-0ubuntu2.1

Ubuntu 19.10

bind9 - 1:9.11.5.P4+dfsg-5.1ubuntu2.2

Ubuntu 18.04 LTS

bind9 - 1:9.11.3+dfsg-1ubuntu1.12

Ubuntu 16.04 LTS

bind9 - 1:9.10.3.dfsg.P4-8ubuntu1.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-8616
• CVE-2020-8617

dpdk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in DPDK.

Software Description

• dpdk - set of libraries for fast packet processing

Details

It was discovered that DPDK incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2020-10722, CVE-2020-10723, CVE-2020-10724, CVE-2020-10725, CVE-2020-10726)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

dpdk - 19.11.1-0ubuntu1.1

Ubuntu 19.10

dpdk - 18.11.5-0ubuntu0.19.10.2

Ubuntu 18.04 LTS

dpdk - 17.11.9-0ubuntu18.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-10722
• CVE-2020-10723
• CVE-2020-10724
• CVE-2020-10725
• CVE-2020-10726

dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10

Summary

Several security issues were fixed in Dovecot.

Software Description

• dovecot - IMAP and POP3 email server

Details

Philippe Antoine discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-10957, CVE-2020-10967)

Philippe Antoine discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2020-10958)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

dovecot-core - 1:2.3.7.2-1ubuntu3.1

Ubuntu 19.10

dovecot-core - 1:2.3.4.1-5ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-10957
• CVE-2020-10958
• CVE-2020-10967

json-c regression

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

USN-4360-1 introduced a regression in json-c.

Software Description

• json-c - JSON manipulation library

Details

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak in some scenarios. This update reverts the security fix pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

libjson-c4 - 0.13.1+dfsg-7ubuntu0.2

Ubuntu 19.10

libjson-c4 - 0.13.1+dfsg-4ubuntu0.2

Ubuntu 18.04 LTS

libjson-c3 - 0.12.1-1.3ubuntu0.2

Ubuntu 16.04 LTS

libjson-c2 - 0.11-4ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4360-1
• LP: 1878723

json-c regression

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

USN-4360-1 introduced a regression in json-c.

Software Description

• json-c - JSON manipulation library

Details

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak in some scenarios. This update reverts the security fix pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

libjson-c2 - 0.11-3ubuntu1.2+esm2

libjson0 - 0.11-3ubuntu1.2+esm2

Ubuntu 12.04 ESM

libjson0 - 0.9-1ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4360-1
• LP: 1878723

json-c vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

json-c could be made to execute arbitrary code if it received a specially crafted JSON file.

Software Description

• json-c - JSON manipulation library

Details

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

libjson-c4 - 0.13.1+dfsg-7ubuntu0.1

Ubuntu 19.10

libjson-c4 - 0.13.1+dfsg-4ubuntu0.1

Ubuntu 18.04 LTS

libjson-c3 - 0.12.1-1.3ubuntu0.1

Ubuntu 16.04 LTS

libjson-c2 - 0.11-4ubuntu2.1

libjson0 - 0.11-4ubuntu2.1

Ubuntu 14.04 ESM

libjson-c2 - 0.11-3ubuntu1.2+esm1

libjson0 - 0.11-3ubuntu1.2+esm1

Ubuntu 12.04 ESM

libjson0 - 0.9-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-12762

apt vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 20.04 LTS
• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

APT could be made to crash if it opened a specially crafted file.

Software Description

• apt - Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS

apt - 2.0.2ubuntu0.1

Ubuntu 19.10

apt - 1.9.4ubuntu0.1

Ubuntu 18.04 LTS

apt - 1.6.12ubuntu0.1

Ubuntu 16.04 LTS

apt - 1.2.32ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2020-3810