These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-675-1: Pidgin vulnerabilities

It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927) It was discovered that Pidgin did not properly handle file transfers containing a long filename and special…

24 November 2008 | ubuntu-8.04-lts, ubuntu-7.10

USN-674-2: HPLIP vulnerabilities

USN-674-1 provided packages to fix vulnerabilities in HPLIP. Due to an internal archive problem, the updates for Ubuntu 7.10 would not install properly. This update provides fixed packages for Ubuntu 7.10. We apologize for the inconvenience. Original advisory details: It was discovered that the hpssd tool of hplip did not validate privileges…

24 November 2008 | ubuntu-7.10

USN-674-1: HPLIP vulnerabilities

It was discovered that the hpssd tool of hplip did not validate privileges in the alert-mailing function. A local attacker could exploit this to gain privileges and send e-mail messages from the account of the hplip user. This update alters hplip behaviour by preventing users from setting alerts and by moving alert configuration to a…

19 November 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-6.06-lts

USN-673-1: libxml2 vulnerabilities

Drew Yao discovered that libxml2 did not correctly handle certain corrupt XML documents. If a user or automated system were tricked into processing a malicious XML document, a remote attacker could cause applications linked against libxml2 to enter an infinite loop, leading to a denial of service. (CVE-2008-4225) Drew Yao discovered that libxml2…

19 November 2008 | ubuntu-8.10, ubuntu-8.04-lts, ubuntu-7.10, ubuntu-6.06-lts

USN-672-1: ClamAV vulnerability

Moritz Jodeit discovered that ClamAV did not correctly handle certain strings when examining a VBA project. If a remote attacker tricked ClamAV into processing a malicious VBA file, ClamAV would crash, leading to a denial of service.

17 November 2008 | ubuntu-8.10

USN-667-1: Firefox and xulrunner vulnerabilities

Liu Die Yu discovered an information disclosure vulnerability in Firefox when using saved .url shortcut files. If a user were tricked into downloading a crafted .url file and a crafted HTML file, an attacker could steal information from the user’s cache. (CVE-2008-4582) Georgi Guninski, Michal Zalewsk and Chris Evans discovered that…

17 November 2008 | ubuntu-8.10, ubuntu-8.04-lts, ubuntu-7.10, ubuntu-6.06-lts

USN-671-1: MySQL vulnerabilities

It was discovered that MySQL could be made to overwrite existing table files in the data directory. An authenticated user could use the DATA DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks. This update alters table creation behaviour by disallowing the use of the MySQL data directory in DATA DIRECTORY and INDEX…

17 November 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-6.06-lts

USN-670-1: VMBuilder vulnerability

Mathias Gug discovered that vm-builder improperly set the root password when creating virtual machines. An attacker could exploit this to gain root privileges to the virtual machine by using a predictable password. This vulnerability only affects virtual machines created with vm-builder under Ubuntu 8.10, and does not affect native…

13 November 2008 | ubuntu-8.10, ubuntu-8.04-lts, ubuntu-7.10, ubuntu-6.06-lts

USN-669-1: gnome-screensaver vulnerabilities

It was discovered that the notify feature in gnome-screensaver could let a local attacker read the clipboard contents of a locked session by using Ctrl-V. (CVE-2007-6389) Alan Matsuoka discovered that gnome-screensaver did not properly handle network outages when using a remote authentication service. During a network interruption, or by…

11 November 2008 | ubuntu-7.10, ubuntu-6.06-lts

USN-666-1: Dovecot vulnerability

It was discovered that certain email headers were not correctly handled by Dovecot. If a remote attacker sent a specially crafted email to a user with a mailbox managed by Dovecot, that user’s mailbox would become inaccessible through Dovecot, leading to a denial of service.

7 November 2008 | ubuntu-8.10