This answer is a combination of the two answers the original poster said helped them. They answer both parts of the questions asked by the asker. This answer was created so they could accept an answer that has both parts.
"CVE" stands for "Common Vulnerabilities and Exposures". It is an industry standard for the notation, especially for the naming, of security vulnerabilities. The list of CVEs ist maintained by the MITRE Corporation. This non-profit company has been branched of the Massachusetts Institute of Technology (MIT) as a service for US research institutions. For more information, see CVE and MITRE Corporation on Wikipedia.
(originally by Henning Kockerbeck)
Fixes for CVEs are either fixed upstream by the developers of a given program and then are either SRU'd (Stable Release Update) or uploaded to the latest development release of Ubuntu by either the developers of the upstream program, the Ubuntu Security Team, or are uploaded when sponsored by a member of the security team if the community helped to develop the patch for the package.
For programs that are in Main, and maintained by the developers for Canonical, the Ubuntu Security Team will typically update a package and place it in the
RELEASE-security repository (where
RELEASE is precise, quantal, raring, etc.).
For programs that are in Universe, those are typically community maintained, and anyone in the community can prepare an SRU or a patch to include the CVE fixes. Those fixes are then sponsored by the Security Team for uploading and inclusion into Ubuntu.
(originally by Thomas W.)