These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-380-2: avahi regression

USN-380-1 fixed a vulnerability in Avahi. However, if used with Network manager, that version occasionally failed to resolve .local DNS names until Avahi got restarted. This update fixes the problem. We apologize for the inconvenience.

14 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-395-1: Linux kernel vulnerabilities

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has only be fixed for Ubuntu 6.10; the corresponding fix for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572) Dmitriy Monakhov…

14 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-394-1: Ruby vulnerability

An error was found in Ruby’s CGI library that did not correctly quote the boundary of multipart MIME requests. Using a crafted HTTP request, a remote user could cause a denial of service, where Ruby CGI applications would end up in a loop, monopolizing a CPU.

8 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-393-2: GnuPG2 vulnerabilities

USN-389-1 and USN-393-1 fixed vulnerabilities in gnupg. This update provides the corresponding updates for gnupg2. Original advisory details: A buffer overflow was discovered in GnuPG. By tricking a user into running gpg interactively on a specially crafted message, an attacker could execute arbitrary code with the user’s privileges. …

7 December 2006 | ubuntu-6.10

USN-393-1: GnuPG vulnerability

Tavis Ormandy discovered that gnupg was incorrectly using the stack. If a user were tricked into processing a specially crafted message, an attacker could execute arbitrary code with the user’s privileges.

7 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-390-3: evince-gtk vulnerability

USN-390-2 fixed vulnerabilities in evince. This update provides the corresponding update for evince-gtk. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with…

7 December 2006 | ubuntu-6.10, ubuntu-6.06-lts

USN-390-2: evince vulnerability

USN-390-1 fixed a vulnerability in evince. The original fix did not fully solve the problem, allowing for a denial of service in certain situations. Original advisory details: A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could…

6 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-392-1: xine-lib vulnerability

A buffer overflow was discovered in the Real Media input plugin in xine-lib. If a user were tricked into loading a specially crafted stream from a malicious server, the attacker could execute arbitrary code with the user’s privileges.

4 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-391-1: libgsf vulnerability

A heap overflow was discovered in the OLE processing code in libgsf. If a user were tricked into opening a specially crafted OLE document, an attacker could execute arbitrary code with the user’s privileges.

4 December 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-390-1: evince vulnerability

A buffer overflow was discovered in the PostScript processor included in evince. By tricking a user into opening a specially crafted PS file, an attacker could crash evince or execute arbitrary code with the user’s privileges.

30 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10