How do I report a sensitive security issue?

In Ubuntu 10.04 (and perhaps later) there appears to be a serious vulnerability to a brute force dictionary attack on any Apache server that is using MySQL to validate user logins.

This issue means that neither fail2ban nor Apache mod_security detects the attack.

I would prefer not to list the detail here.

Could someone contact me or explain to me how I can report the problem without posting the vulnerability to the whole world?


You'll need to file a bug against the package you're having an issue with. You can use these instructions to report a bug. Once all the data is collected LaunchPad will open a window and you can continue with the bug reporting process.

Alternatively, visit the LaunchPad Ubuntu page (https://bugs.launchpad.net/ubuntu/+source/<PACKAGENAME>) then fill out the details.

Once a summary and duplicate detection have completed, but prior to submitting your report, there will be the following option at the bottom of the page that you will need to select:

enter image description here

Doing so will make this bug hidden and alert the security team.