These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-645-3: Firefox and xulrunner regression

USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream patches introduced a regression in the saved password handling. While password data was not lost, if a user had saved any passwords with non-ASCII characters, Firefox could not access the password database. This update fixes the problem. We apologize for the…

25 September 2008 | ubuntu-8.04-lts

USN-645-2: Firefox vulnerabilities

USN-645-1 fixed vulnerabilities in Firefox and xulrunner for Ubuntu 7.04, 7.10 and 8.04 LTS. This provides the corresponding update for Ubuntu 6.06 LTS. Original advisory details: Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an…

24 September 2008 | ubuntu-6.06-lts

USN-645-1: Firefox and xulrunner vulnerabilities

Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into…

24 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04

USN-646-1: rdesktop vulnerabilities

It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801) Multiple buffer overflows were discovered…

18 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts

USN-644-1: libxml2 vulnerabilities

It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2008-3529) USN-640-1 fixed…

11 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts

USN-643-1: FreeType vulnerabilities

Multiple flaws were discovered in the PFB and TTF font handling code in freetype. If a user were tricked into using a specially crafted font file, a remote attacker could execute arbitrary code with user privileges or cause the application linked against freetype to crash, leading to a denial of service.

11 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts

USN-642-1: Postfix vulnerability

Wietse Venema discovered that Postfix leaked internal file descriptors when executing non-Postfix commands. A local attacker could exploit this to cause Postfix to run out of descriptors, leading to a denial of service.

10 September 2008 | ubuntu-8.04-lts, ubuntu-7.10

USN-641-1: Racoon vulnerabilities

It was discovered that there were multiple ways to leak memory during the IKE negotiation when handling certain packets. If a remote attacker sent repeated malicious requests, the “racoon” key exchange server could allocate large amounts of memory, possibly leading to a denial of service.

8 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts

USN-640-1: libxml2 vulnerability

Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system’s CPU resources, leading to a denial of service.

3 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts

USN-639-1: tiff vulnerability

Drew Yao discovered that the TIFF library did not correctly validate LZW compressed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could execute arbitrary code or cause an application linked against libtiff to crash, leading to a denial of service.

2 September 2008 | ubuntu-8.04-lts, ubuntu-7.10, ubuntu-7.04, ubuntu-6.06-lts