These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-288-4: dovecot regression fix

USN-288-3 fixed a vulnerability in dovecot. Unfortunately the Ubuntu 6.06 update had a regression which caused authentication using a MySQL database to not work any more. This update fixes this again. We apologize for the inconvenience.

14 June 2006 | ubuntu-6.06-lts

USN-297-1: Thunderbird vulnerabilities

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by…

14 June 2006 | ubuntu-6.06-lts

USN-296-1: firefox vulnerabilities

Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by…

9 June 2006 | ubuntu-6.06-lts

USN-295-1: xine-lib vulnerability

Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user’s privileges.

9 June 2006 | ubuntu-6.06-lts, ubuntu-5.10, ubuntu-5.04

USN-294-1: courier vulnerability

A Denial of Service vulnerability has been found in the function for encoding email addresses. Addresses containing a ‘=’ before the ‘@’ character caused the Courier to hang in an endless loop, rendering the service unusable.

9 June 2006 | ubuntu-6.06-lts, ubuntu-5.10, ubuntu-5.04

USN-288-3: PostgreSQL client vulnerabilities

USN-288-1 described a PostgreSQL client vulnerability in the way the >>‘<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a…

9 June 2006 | ubuntu-6.06-lts, ubuntu-5.10, ubuntu-5.04

USN-292-1: binutils vulnerability

CVE-2006-2362 Jesus Olmos Gonzalez discovered a buffer overflow in the Tektronix Hex Format (TekHex) backend of the BFD library, such as used by the ‘strings’ utility. By tricking an user or automated system into processing a specially crafted file with ‘strings’ or a vulnerable third-party application using the BFD library, this could be…

9 June 2006 | ubuntu-6.06-lts, ubuntu-5.10, ubuntu-5.04

USN-293-1: gdm vulnerability

If the admin configured a gdm theme that provided an user list, any user could activate the gdm setup program by first choosing the setup option from the menu, clicking on the user list and entering his own (instead of root’s) password. This allowed normal users to configure potentially dangerous features like remote or automatic login. Please…

9 June 2006 | ubuntu-6.06-lts, ubuntu-5.10

USN-288-2: PostgreSQL server/client vulnerabilities

USN-288-1 fixed two vulnerabilities in Ubuntu 5.04 and Ubuntu 5.10. This update fixes the same vulnerabilities for Ubuntu 6.06 LTS. For reference, these are the details of the original USN: CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client…

9 June 2006 | ubuntu-6.06-lts

USN-291-1: FreeType vulnerabilities

Several integer overflows have been discovered in the FreeType library. By tricking a user into installing and/or opening a specially crafted font file, these could be exploited to execute arbitrary code with the privileges of that user.

8 June 2006 | ubuntu-6.06-lts, ubuntu-5.10, ubuntu-5.04