These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-8-1: gaim vulnerabilities

A buffer overflow and two remote crashes were recently discovered in gaim’s MSN protocol handler. An attacker could potentially execute arbitrary code with the user’s privileges by crafting and sending a particular MSN message.

27 October 2004 | ubuntu-4.10

USN-7-1: imagemagick vulnerability

A buffer overflow in imagemagick’s EXIF parsing routine has been discovered in imagemagick versions prior to 6.1.0. Trying to query EXIF information of a malicious image file might result in execution of arbitrary code with the user’s privileges. Since imagemagick can be used in custom printing systems, this also might lead to privilege…

27 October 2004 | ubuntu-4.10

USN-6-1: postgresql contributed script vulnerability

Recently, Trustix Secure Linux discovered a vulnerability in the postgresql-contrib package. The script “make_oidjoins_check” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the script.

27 October 2004 | ubuntu-4.10

USN-5-1: gettext vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the gettext package. The programs “autopoint” and “gettextize” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

27 October 2004 | ubuntu-4.10

USN-3-1: GhostScript utility script vulnerabilities

Recently, Trustix Secure Linux discovered some vulnerabilities in the gs-common package. The utilities “pv.sh” and “ps2epsi” created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

27 October 2004 | ubuntu-4.10

USN-2-1: xpdf vulnerabilities

Chris Evans discovered several integer overflow vulnerabilities in xpdf, a viewer for PDF files. The Common UNIX Printing System (CUPS) also uses the same code to print PDF files. In either case, these vulnerabilities could be exploited by an attacker by providing a specially crafted PDF file which, when processed by CUPS or xpdf, could result…

23 October 2004 | ubuntu-4.10

USN-1-1: PNG library vulnerabilities

Several integer overflow vulnerabilities were discovered in the PNG library. These vulnerabilities could be exploited by an attacker by providing a specially crafted PNG image which, when processed by the PNG library, could result in the execution of program code provided by the attacker. The PNG library is used by a variety of software packages…

23 October 2004 | ubuntu-4.10