Ubuntu Wiki

Security updates

Announcements

• Official Ubuntu Security Notices (USNs)

• Ubuntu security update notifications additional information

Media coverage

In order to stay secure, Ubuntu users should simply apply all Ubuntu security updates to their systems when they become available.

For some vulnerabilities that are highlighted by the media, we've provided additional information as part of our KnowledgeBase:

2021

• GRUB2 Secure Boot Bypass (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233, CVE-2021-3418)

2020

• Intel power side-channels (CVE-2020-8694 and CVE-2020-8695, aka Platypus)

• GRUB2 Secure Boot Bypass (CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, aka BootHole)

• Special Register Buffer Data Sampling (SRBDS) Hardware Vulnerability in Intel CPUs (CVE-2020-0543, aka Crosstalk)

2019

• runC / docker.io Privileged Container Escape (CVE-2019-5736)

• Snap Socket Parsing (CVE-2019-7304)

• Microarchitectural Data Sampling (MDS) (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091)

• SACK Panic and Other TCP Denial of Service Issues (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479)

• Kubernetes API Server Vulnerability (CVE-2019-11247)

• HTTP/2 Denial of Service Vulnerabilities

• TSX Asynchronous Abort (TAA, CVE-2019-11135), Intel® Processor Machine Check Error (MCEPSC, CVE-2018-12207), and i915 graphics (CVE-2019-0155, CVE-2019-0154) vulnerabilities

2018

• Mov/Pop SS vulnerabilities (CVE-2018-8897 and CVE-2018-1087)

• Variant 4 of Side Channel issues (CVE-2018-3639)

• Lazy FP Save/Restore (CVE-2018-3665)

• Bounds Check Bypass Store (BCBS) (CVE-2018-3693)

• NetSpectre

• L1 Terminal Fault (L1TF) (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646)

2017

• BlueBorne bluetooth vulnerabilities (CVE-2017-1000250, CVE-2017-1000251)

• Spectre and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715)

2016

• OpenSSH Client Roaming (CVE-2016-0777, CVE-2016-0778)

• httpoxy CGI application vulnerability

2015

• GHOST (CVE-2015-0235)

• VENOM (CVE-2015-3456)

• LogJam (CVE-2015-4000)

• Stagefright (CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829)

Vulnerability Resources

• Ubuntu CVE tracker

• Ubuntu CVE Tracker (web view)

• Common Vulnerabilities and Exposures (CVEs)

• National Vulnerabilities Database

• Open Source Software Security

Update processes

• Security update procedures

• StableReleaseUpdates/MicroReleaseExceptions

• StableReleaseUpdates (SRU)

• Backport Requests

Update techniques

• How to prepare an updated package

• How to handle backporting security updates

  • schroot/sbuild setup

  • virtual machine setup

• How to test the update

  • QA Regression Testing

  • Proof of Concept (PoC)
  • Build test suites (eg, 'make check')
• ABI compatibility (eg, check-symbols, nm)
• Checklists

• Media coverage

Policies

• Ubuntu Security Policies

• Creating enforcing AppArmor profiles policy

Features

• Feature Matrix (for all releases since Dapper, see the Historical Feature Matrix.)

• Security Hardening Compiler Flags

• AppArmor Profiles

• Applications Built with PIE

• AppArmor docs

• SELinux docs

Process

• Bug Triage

• Release Cycle Actions

Problems

• DebuggingSecurity for bug reports

• DebuggingApparmor for bug reports dealing with AppArmor profiles

CategorySecurityTeam