Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ubuntu_linux
(Canonical)| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-06-12 | CVE-2021-32555 | It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg-hwe-18.04 package apport hooks, it could expose private data to other local users. | Ubuntu_linux | 5.5 | ||
| 2021-11-17 | CVE-2021-3939 | Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1. | Accountsservice, Ubuntu_linux | 7.8 | ||
| 2021-12-08 | CVE-2021-44420 | In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. | Ubuntu_linux, Debian_linux, Django, Fedora, Satellite | 7.3 | ||
| 2022-01-14 | CVE-2022-20698 | A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) Software version 0.104.1 and LTS version 0.103.4 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper checks that may result in an invalid pointer read. An attacker could exploit this vulnerability by sending a crafted OOXML file to an affected device. An exploit could allow the attacker to cause the ClamAV... | Ubuntu_linux, Clamav, Debian_linux | 7.5 | ||
| 2022-01-20 | CVE-2021-45417 | AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. | Advanced_intrusion_detection_environment, Ubuntu_linux, Debian_linux, Fedora, Enterprise_linux, Ovirt\-Node, Virtualization_host | 7.8 | ||
| 2022-01-28 | CVE-2021-4034 | A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code.... | Ubuntu_linux, Http_server, Zfs_storage_appliance_kit, Polkit, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_for_ibm_z_systems, Enterprise_linux_for_ibm_z_systems_eus, Enterprise_linux_for_power_big_endian, Enterprise_linux_for_power_little_endian, Enterprise_linux_for_power_little_endian_eus, Enterprise_linux_for_scientific_computing, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_server_update_services_for_sap_solutions, Enterprise_linux_workstation, Scalance_lpe9403_firmware, Sinumerik_edge, Command_center, Starwind_virtual_san, Enterprise_storage, Linux_enterprise_desktop, Linux_enterprise_high_performance_computing, Linux_enterprise_server, Linux_enterprise_workstation_extension, Manager_proxy, Manager_server | 7.8 | ||
| 2022-01-31 | CVE-2021-45079 | In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. | Ubuntu_linux, Debian_linux, Extra_packages_for_enterprise_linux, Fedora, Strongswan | 9.1 | ||
| 2022-02-16 | CVE-2021-3560 | It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | Ubuntu_linux, Debian_linux, Polkit, Openshift_container_platform, Virtualization, Virtualization_host | 7.8 | ||
| 2022-02-17 | CVE-2021-3155 | snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | Snapd, Ubuntu_linux | 5.5 | ||
| 2022-02-17 | CVE-2021-44730 | snapd 2.54.2 did not properly validate the location of the snap-confine binary. A local attacker who can hardlink this binary to another location to cause snap-confine to execute other arbitrary binaries and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1 | Snapd, Ubuntu_linux, Debian_linux, Fedora | 8.8 |