In Ubuntu 10.04 (and perhaps later) there appears to be a serious vulnerability to a brute force dictionary attack on any Apache server that is using MySQL to validate user logins.
This issue means that neither fail2ban nor Apache mod_security detects the attack.
I would prefer not to list the detail here.
Could someone contact me or explain to me how I can report the problem without posting the vulnerability to the whole world?
You'll need to file a bug against the package you're having an issue with. You can use these instructions to report a bug. Once all the data is collected LaunchPad will open a window and you can continue with the bug reporting process.
Alternatively, visit the LaunchPad Ubuntu page (https://bugs.launchpad.net/ubuntu/+source/<PACKAGENAME>) then fill out the details.
Once a summary and duplicate detection have completed, but prior to submitting your report, there will be the following option at the bottom of the page that you will need to select:
Doing so will make this bug hidden and alert the security team.
