How do I report a sensitive security issue?

Question

In Ubuntu 10.04 (and perhaps later) there appears to be a serious vulnerability to a brute force dictionary attack on any Apache server that is using MySQL to validate user logins.

This issue means that neither fail2ban nor Apache mod_security detects the attack.

I would prefer not to list the detail here.

Could someone contact me or explain to me how I can report the problem without posting the vulnerability to the whole world?

score 10 · Answer 1 · edited Apr 13 '17 at 12:24

10

You'll need to file a bug against the package you're having an issue with. You can use these instructions to report a bug. Once all the data is collected LaunchPad will open a window and you can continue with the bug reporting process.

Alternatively, visit the LaunchPad Ubuntu page (https://bugs.launchpad.net/ubuntu/+source/<PACKAGENAME>) then fill out the details.

Once a summary and duplicate detection have completed, but prior to submitting your report, there will be the following option at the bottom of the page that you will need to select:

enter image description here

Doing so will make this bug hidden and alert the security team.

edited Apr 13 '17 at 12:24

Community

1

answered Jan 31 '12 at 21:19

Marco Ceppi

47,783
30
172
197

I do not want to post the bug to the whole world. I would prefer that someone contacts me on my email. – paul Jan 31 '12 at 21:23
OK now I read the end of your post. I will report it if it is hidden. – paul Jan 31 '12 at 21:24
2

@paul It will only be visible to the maintainers and the security team. – Marco Ceppi Jan 31 '12 at 21:27

How do I report a sensitive security issue?

1 Answers1