Debian and Ubuntu share a lot of the same software and collaboration with each other is beneficial to both distributions. The information in this page should be considered supplemental to Ubuntu/ForDebianDevelopers, and that page should be considered mandatory reading for Debian Developers who have not worked with Ubuntu before. There is also a lot of information on working with the Ubuntu Security team in general.
The Ubuntu Security team adheres to responsible disclosure and coordination with other vendors and upstreams. It is hoped that Debian Developers and members of the Debian Security team will find the information in this page valuable for collaborating with Ubuntu and providing updates in Debian.
To report a security vulnerability in Ubuntu, please file a bug in Launchpad, being sure to check 'This bug is a security vulnerability'. Security bugs are initially marked private and can only be seen by members of the Ubuntu Security team.
If you prefer to contact the Ubuntu Security team directly, please send an email to email@example.com.
Ubuntu Security team members should also be available in #debian-security on OFTC, #ubuntu-security on Freenode, and regularly participate in the oss-security mailing list.
Ubuntu Security Notices
Like Debian, Ubuntu issues security notices (Ubuntu Security Notices or USNs) for packages that are officially supported. USNs are sent to the moderated ubuntu-security-announce mailing list and also updated on the Ubuntu website. Unlike Debian, not all packages in the Ubuntu archive which receive security updates will receive a security notice. For packages that are not officially supported, we encourage community members and interested Debian Developers to get involved and fix security bugs.
http://www.ubuntu.com/usn/ (USN website)
https://lists.ubuntu.com/archives/ubuntu-security-announce/ (archive for mailing list)
The Ubuntu Security team uses the Ubuntu CVE Tracker (UCT) to track information on CVEs. Several times a week an Ubuntu Security team member will review CVEs in MITRE, NVD, oss-security, Debian and other distributions for new and updated information on CVEs. As CVEs are researched by Ubuntu Security team and community members, the Ubuntu CVE Tracker is updated with information. This information typically contains links to patches, commits, bugs (Ubuntu, Debian, upstream, and other vendors), vendor updates, USNs, and/or notes for particular versions. The CVE information is exported in an HTML format that is searchable. Ubuntu Security team members regularly update the Debian security-tracker for 'not-for-us' CVEs information and embedded-code-copies updates. For more information on contributing to and using UCT, please see the README file.
http://people.canonical.com/~ubuntu-security/cve/ (search page to UCT)
http://people.canonical.com/~ubuntu-security/cve/priority.html (list of priority levels for CVEs in Ubuntu)
https://launchpad.net/ubuntu-cve-tracker/trunk (UCT bzr branch)
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README (README file for UCT)
Security bugs in Ubuntu are tracked in Launchpad. It is important to note that because of the specific types of information that the Ubuntu Security team and MOTU-Swat teams track, CVEs are typically not tracked in Launchpad at this time, but instead in the Ubuntu CVE Tracker (UCT). That said, Debian Developers should feel free to file security bugs in Launchpad, and a member of the Ubuntu Security team will triage that bug and add or update the corresponding CVE in UCT. In addition, Ubuntu developers file bugs with Debian with patches to fix vulnerabilities in Debian when there is no corresponding Debian bug, and add this information to UCT.
Finding updates in Ubuntu
Ubuntu security updates should use the same patch system as the Debian package. Ubuntu Security Notices contain links to source packages and binaries as well as additional package information via Launchpad, so for officially supported packages navigating to the USN should be all that is needed. For community-supported packages, lookup the CVE in UCT. If it is marked 'released', there should be version information for the package. You can then go to Launchpad to find the relevant information.
All security updates in Ubuntu go to what is called the 'security pocket' (see our FAQ for more information on pockets) and are copied to security.ubuntu.com.
http://security.ubuntu.com/ubuntu/ (security pocket containing all Ubuntu security updates)
Getting updates into Ubuntu
When a package in Ubuntu has the same version as a version in Debian, it is often eligible for syncing into Ubuntu. For syncing packages from Debian into the Ubuntu development release, please see "How can I ask Ubuntu to copy my package from Debian?" from the Ubuntu/ForDebianDevelopers page.
In stable releases of Ubuntu where the Ubuntu package has the same version as in Debian, the Ubuntu Security team will perform a sync from Debian (called a 'security fake sync'). These are typically performed weekly by a member of the Ubuntu Security for packages that are not officially supported. Officially supported packages are not eligible for security fake syncs and should instead use a backported patch. The Ubuntu Security team and community will use the D2U website to see what packages are eligible for syncs.
For packages in the development release of Ubuntu that have a delta from Debian, the package from Debian can be merged into Ubuntu. A merge takes the new Debian version and applies the previous relevant Ubuntu delta.
For packages in stable releases of Ubuntu that have a different version than what is in Debian, a patch should be backported.
It is encouraged that merges and backported patches have a Launchpad bug opened and automatically close the bug via the debian/changelog.
For community-supported packages, either a member of the Ubuntu Security team or the MOTU-Swat team can help with sponsoring patches into Ubuntu.
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures (general update procedures)
https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue (getting your patches sponsored into Ubuntu)