ubuntu bionic v1.36
Metadata:
BOSH Agent Version: 2.389.0
USNs:
Title: USN-5101-1: MongoDB vulnerability
URL: https://ubuntu.com/security/notices/USN-5101-1
Priorities: medium
Description:
It was discovered that MongoDB incorrectly handled certain wire protocol
messages. A remote attacker could possibly use this issue to cause MongoDB
to crash, resulting in a denial of service.
CVEs:
Title: USN-5102-1: Mercurial vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5102-1
Priorities: medium
Description:
It was discovered that Mercurial mishandled symlinks in subrepositories. An
attacker could use this issue to write arbitrary files to the
target’s filesystem. (CVE-2019-3902)
It was discovered that Mercurial incorrectly handled certain manifest files.
An attacker could use this issue to cause a denial of service and possibly
execute arbitrary code. (CVE-2018-17983)
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2019-3902
- https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17983
Title: USN-5110-1: Ardour vulnerability
URL: https://ubuntu.com/security/notices/USN-5110-1
Priorities: medium
Description:
It was discovered that Ardour incorrectly handled certain XML files.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code.
CVEs:
Title: USN-5114-1: Linux kernel vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5114-1
Priorities: medium,low
Description:
It was discovered that a race condition existed in the Atheros Ath9k WiFi
driver in the Linux kernel. An attacker could possibly use this to expose
sensitive information (WiFi network traffic). (CVE-2020-3702)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly compute the access permissions for shadow pages in
some situations. A local attacker could use this to cause a denial of
service. (CVE-2021-38198)
It was discovered that the ext4 file system in the Linux kernel contained a
race condition when writing xattrs to an inode. A local attacker could use
this to cause a denial of service or possibly gain administrative
privileges. (CVE-2021-40490)
It was discovered that the 6pack network protocol driver in the Linux
kernel did not properly perform validation checks. A privileged attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2021-42008)
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3702
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-40490
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-42008
Title: USN-5098-1: bl vulnerability
URL: https://ubuntu.com/security/notices/USN-5098-1
Priorities: medium
Description:
It was discovered that bl didn't properly sanitize the inputs. An attacker
could use this to leak sensitive information.
CVEs:
Title: USN-5104-1: Squid vulnerability
URL: https://ubuntu.com/security/notices/USN-5104-1
Priorities: medium
Description:
Lyu discovered that Squid incorrectly handled WCCP protocol data. A remote
attacker could use this issue to cause Squid to crash, resulting in a
denial of service, or possibly obtain sensitive information.
CVEs:
Title: USN-5116-1: Linux kernel vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5116-1
Priorities: medium,low
Description:
It was discovered that a race condition existed in the Atheros Ath9k WiFi
driver in the Linux kernel. An attacker could possibly use this to expose
sensitive information (WiFi network traffic). (CVE-2020-3702)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly compute the access permissions for shadow pages in
some situations. A local attacker could use this to cause a denial of
service. (CVE-2021-38198)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
It was discovered that the ext4 file system in the Linux kernel contained a
race condition when writing xattrs to an inode. A local attacker could use
this to cause a denial of service or possibly gain administrative
privileges. (CVE-2021-40490)
It was discovered that the 6pack network protocol driver in the Linux
kernel did not properly perform validation checks. A privileged attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2021-42008)
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38198
- https://people.canonical.com/~ubuntu-security/cve/CVE-2020-3702
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3732
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-42008
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-40490
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38205
Title: USN-5107-1: Firefox vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5107-1
Priorities: medium
Description:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof another
origin, or execute arbitrary code.
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38497
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-32810
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38501
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38499
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38496
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38498
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-38500
Title: USN-5103-1: docker.io vulnerability
URL: https://ubuntu.com/security/notices/USN-5103-1
Priorities: medium
Description:
Lei Wang and Ruizhi Xiao discovered that the Moby Docker engine in
Docker incorrectly allowed the docker cp command to make permissions
changes in the host filesystem in some situations. A local attacker
could possibly use to this to expose sensitive information or gain
administrative privileges.
CVEs:
Title: USN-5111-1: strongSwan vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5111-1
Priorities: medium
Description:
It was discovered that strongSwan incorrectly handled certain RSASSA-PSS
signatures. A remote attacker could use this issue to cause strongSwan to
crash, resulting in a denial of service. (CVE-2021-41990)
It was discovered that strongSwan incorrectly handled replacing
certificates in the cache. A remote attacker could use this issue to cause
strongSwan to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2021-41991)
CVEs:
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-41991
- https://people.canonical.com/~ubuntu-security/cve/CVE-2021-41990
Title: USN-5121-1: Mailman vulnerabilities
URL: https://ubuntu.com/security/notices/USN-5121-1
Priorities: high
Description:
Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman
did not properly associate cross-site request forgery (CSRF) tokens
to specific accounts. A remote attacker could use this to perform a
CSRF attack to gain access to another account. (CVE-2021-42097)
Andre Protas, Richard Cloke, and Andy Nuttall discovered that Mailman's
cross-site request forgery (CSRF) tokens for the options page are
derived from the admin password. A remote attacker could possibly use
this to assist in performing a brute force attack against the admin
password. (CVE-2021-42096)
CVEs: