These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-810-2: NSPR update

USN-810-1 fixed vulnerabilities in NSS. This update provides the NSPR needed to use the new NSS. Original advisory details: Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash)…

4 August 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts

USN-810-1: NSS vulnerabilities

Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. (CVE-2009-2404) Moxie Marlinspike and Dan Kaminsky independently…

4 August 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts

USN-808-1: Bind vulnerability

Micha Krause discovered that Bind did not correctly validate certain dynamic DNS update packets. An unauthenticated remote attacker could send specially crafted traffic to crash the DNS server, leading to a denial of service.

29 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts

USN-807-1: Linux kernel vulnerabilities

Michael Tokarev discovered that the RTL8169 network driver did not correctly validate buffer sizes. A remote attacker on the local network could send specially crafted traffic that would crash the system or potentially grant elevated privileges. (CVE-2009-1389) Julien Tinnes and Tavis Ormandy discovered that when executing setuid processes the…

28 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts

USN-806-1: Python vulnerabilities

It was discovered that Python incorrectly handled certain arguments in the imageop module. If an attacker were able to pass specially crafted arguments through the crop function, they could execute arbitrary code with user privileges. For Python 2.5, this issue only affected Ubuntu 8.04 LTS. (CVE-2008-4864) Multiple integer overflows were…

23 July 2009 | ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts

USN-798-1: Firefox and Xulrunner vulnerabilities

Several flaws were discovered in the Firefox browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466,…

22 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts

USN-805-1: Ruby vulnerabilities

It was discovered that Ruby did not properly validate certificates. An attacker could exploit this and present invalid or revoked X.509 certificates. (CVE-2009-0642) It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. (CVE-2009-1904)

20 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts

USN-804-1: PulseAudio vulnerability

Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges.

16 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts

USN-803-1: dhcp vulnerability

It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the…

14 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts

USN-802-1: Apache vulnerabilities

It was discovered that mod_proxy_http did not properly handle a large amount of streamed data when used as a reverse proxy. A remote attacker could exploit this and cause a denial of service via memory resource consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1890) It was discovered that mod_deflate did not abort…

13 July 2009 | ubuntu-9.04, ubuntu-8.10, ubuntu-8.04-lts, ubuntu-6.06-lts