These are the Ubuntu security notices that affect the current supported releases of Ubuntu. These notices are also posted to the ubuntu-security-announce mailing list (list archive). To report a security vulnerability in an Ubuntu package, please contact the Ubuntu Security Team. You may also be interested in learning about Ubuntu security policies. For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

You can also view the latest notices by subscribing to the RSS or the Atom feeds.

Latest notices

USN-382-1: Thunderbird vulnerabilities

USN-352-1 fixed a flaw in the verification of PKCS certificate signatures. Ulrich Kuehn discovered a variant of the original attack which the original fix did not cover. (CVE-2006-5462) Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email…

21 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-381-1: Firefox vulnerabilities

USN-351-1 fixed a flaw in the verification of PKCS certificate signatures. Ulrich Kuehn discovered a variant of the original attack which the original fix did not cover. (CVE-2006-5462) Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious web page…

21 November 2006 | ubuntu-6.06-lts, ubuntu-5.10

USN-384-1: OpenLDAP vulnerability

Evgeny Legerov discovered that the OpenLDAP libraries did not correctly truncate authcid names. This situation would trigger an assert and abort the program using the libraries. A remote attacker could send specially crafted bind requests that would lead to an LDAP server denial of service.

21 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-383-1: libpng vulnerability

Tavis Ormandy discovered that libpng did not correctly calculate the size of sPLT structures when reading an image. By tricking a user or an automated system into processing a specially crafted PNG file, an attacker could exploit this weakness to crash the application using the library.

17 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-380-1: Avahi vulnerability

Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service.

11 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-379-1: texinfo vulnerability

Miloslav Trmac discovered a buffer overflow in texinfo’s index processor. If a user is tricked into processing a .texi file with texindex, this could lead to arbitrary code execution with user privileges.

9 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-376-2: imlib2 regression fix

USN-376-1 provided an update to imlib2 to fix several security vulnerabilities. Unfortunately the update broke JPG file handling in certain situations. This update corrects this problem. We apologize for the inconvenience.

6 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10

USN-378-1: RPM vulnerability

An error was found in the RPM library’s handling of query reports. In some locales, certain RPM packages would cause the library to crash. If a user was tricked into querying a specially crafted RPM package, the flaw could be exploited to execute arbitrary code with the user’s privileges.

4 November 2006 | ubuntu-6.10, ubuntu-6.06-lts

USN-377-1: NVIDIA vulnerability

Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.

4 November 2006 | ubuntu-6.10, ubuntu-6.06-lts

USN-376-1: imlib2 vulnerabilities

M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user’s privileges.

3 November 2006 | ubuntu-6.10, ubuntu-6.06-lts, ubuntu-5.10